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Preface 



These are the proceedings of Eurocrypt 2004, the 23rd Annual Eurocrypt Con- 
ference. The conference was organized by members of the IBM Zurich Research 
Laboratory in cooperation with lACR, the International Association for Cryp- 
tologic Research. 

The conference received a record number of 206 submissions, out of which the 
program committee selected 36 for presentation at the conference (three papers 
were withdrawn by the authors shortly after submission). These proceedings 
contain revised versions of the accepted papers. These revisions have not been 
checked for correctness, and the authors bear full responsibility for the contents 
of their papers. 

The conference program also featured two invited talks. The first one was 
the 2004 lACR Distinguished Lecture given by Whitfield Diffie. The second 
invited talk was by Ivan Damgard who presented “Paradigms for Multiparty 
Computation.” The traditional rump session with short informal talks on recent 
results was chaired by Arjen Lenstra. 

The reviewing process was a challenging task, and many good submissions 
had to be rejected. Each paper was reviewed independently by at least three 
members of the program committee, and papers co-authored by a member of 
the program committee were reviewed by at least six (other) members. The 
individual reviewing phase was followed by profound and sometimes lively dis- 
cussions about the papers, which contributed a lot to the quality of the final 
selection. Extensive comments were sent to the authors in most cases. At the 
end, the comments and electronic discussion notes filled more than 32,000 lines 
of text! We would like to thank the members of the program committee for their 
hard work over the course of several months; it was a pleasure for us to work 
with them and to benefit from their knowledge and insight. We are also very 
grateful to the external reviewers who contributed with their expertise to the 
selection process. Their work is highly appreciated. 

The submission of all papers was done using the electronic submission soft- 
ware written by Chanathip Namprempre with modifications by Andre Adels- 
bach. During the review process, the program committee was mainly commu- 
nicating using the Web-based review software developed by Bart Preneel, Wim 
Moreau, and Joris Claessens. We would like to thank Roger Zimmermann for his 
help with installing and running the software locally, and for solving many other 
problems, not the least of which was the assembly of these proceedings. The fi- 
nal decisions were made at a meeting in Riischlikon at the IBM Zurich Research 
Laboratory. Helga Steimann helped us with the organization and also made sure 
there was enough coffee and food available so that we could concentrate on the 
papers and were not distracted by empty stomachs. Thanks a lot! 

We are grateful to Endre Bangerter, Martin Hirt, Reto Strobl, and Roger 
Zimmermann for their help with the local arrangements of the conference. 
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Eurocrypt 2004 was supported by the IBM Zurich Research Laboratory, Crypto 
AG, Omnisec, MediaCrypt, HP, Microsoft Research, and Swiss International Air 
Lines. 

Our most important thanks go to our families for bearing with us through 
this busy period, for their support, and for their love. 

Last but not least, we thank all the authors from all over the world who 
submitted papers. It is due to them and their work that the conference took 
place. 

February 2004 Christian Cachin and Jan Camenisch 
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Abstract. We consider the problem of computing the intersection of 
private datasets of two parties, where the datasets contain lists of ele- 
ments taken from a large domain. This problem has many applications 
for online collaboration. We present protocols, based on the use of ho- 
momorphic encryption and balanced hashing, for both semi-honest and 
malicious environments. For lists of length k, we obtain 0{k) communi- 
cation overhead and 0{k Inin k) computation. The protocol for the semi- 
honest environment is secure in the standard model, while the protocol 
for the malicious environment is secure in the random oracle model. We 
also consider the problem of approximating the size of the intersection, 
show a linear lower-bound for the communication overhead of solving 
this problem, and provide a suitable secure protocol. Lastly, we inves- 
tigate other variants of the matching problem, including extending the 
protocol to the multi-party setting as well as considering the problem of 
approximate matching. 



1 Introduction 

This work considers several two-party set-intersection problems and presents 
corresponding secure protocols. Our protocols enable two parties that each hold 
a set of inputs - drawn from a large domain - to jointly calculate the intersection 
of their inputs, without leaking any additional information. The set-intersection 
primitive is quite useful as it is extensively used in computations over databases, 
e.g., for data mining where the data is vertically partitioned between parties 
(namely, each party has different attributes referring to the same subjects). 

One could envision the usage of efficient set-intersection protocols for online 
recommendation services, online dating services, medical databases, and many 
other applications. We are already beginning to see the deployment of such 
applications using either trusted third parties or plain insecure communication. 

* Research partially done while the author was visiting HP Labs. 

** Research done while the author was at NEC Labs. 
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Contributions. We study private two-party computation of set intersection, 
which we also denote as private matching (PM): 

— Protocols for computing private matching, based on homomorphic encryp- 
tion and balanced allocations: (i) a protocol secure against semi-honest ad- 
versaries; and (ii) a protocol, in the random oracle model, secure against 
malicious adversaries.^ Their overhead for input lists of length k is 0{k) 
communication and O(fclnlnfc) computation, with small constant factors. 
These protocols are more efficient than previous solutions to this problem. 

— Variants of the private matching protocol that (i) compute the intersection 
size, (ii) decide whether the intersection size is greater than a threshold, or 
(iii) compute some other function of the intersection set. 

— We consider private approximation protocols for the intersection size (similar 
to the private approximation of the Hamming distance by [10]). A simple 
reduction from the communication lower-bound on disjointness shows that 
this problem cannot have a sublinear worst-case communication overhead. 
We show a sampling-based private approximation protocol that achieves 
instance-optimal communication. 

— We extend the protocol for set intersection to a multi-party setting. 

— We introduce the problem of secure approximate (or “fuzzy” ) matching and 
search, and we present protocols for several simple instances. 



2 Background and Related Work 

Private equality tests (PET). A simpler form of private matching is where 
each of the two datasets has a single element from a domain of size N. A cir- 
cuit computing this function has 0(log A^) gates, and therefore can be securely 
evaluated with this overhead. Specialized protocols for this function were also 
suggested in [9, 18, 17], and they essentially have the same overhead. A solution 
in [3] provides fairness in addition to security. 

A circuit-based solution for computing PM of datasets of length k requires 
0{k^ log N) communication and 0{klogN) oblivious transfers. Another trivial 
construction compares all combinations of items from the two datasets using 
instantiations of a PET protocol (which itself has 0(log N) overhead). The com- 
putation of this comparison can be reduced to 0{klog N), while retaining the 
0{k'^ log N) communication overhead [18]. There are additional constructions 
that solve the private matching problem at the cost of only 0{k) exponentia- 
tions [12, 8]. However, these constructions were only analyzed in the random 
oracle model, against semi-honest parties. 

Disjointness and set intersection. Protocols for computing (or deciding) 
the intersection of two sets have been researched both in the general context 
of communication complexity and in the context of secure protocols. Much at- 
tention has been given to evaluating the communication complexity of the dis- 
jointness problem, where the two parties in the protocol hold subsets a and b of 

^ For malicious clients, we present a protocol that is secure in the standard model. 
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N}. The disjointness function Disj(a, b) is defined to be 1 if the sets a, b 
have an empty intersection. It is well known that i?e(DiSj) = 0{N) [14, 22]. An 
immediate implication is that computing jaH 6| requires 0{N) communication. 
Therefore, even without taking privacy into consideration, the communication 
complexity of private matching is at least proportional to the input size. 

One may try and get around the high communication complexity of comput- 
ing the intersection size by approximating it. In the context of secure protocols, 
this may lead to a sublinear private approximation protocol for intersection size.® 
If one settles for an approximation up to additive error eN (for constant e), it is 
easy to see that very efficient protocols exist, namely 0(log N) bits in the private 
randomness model [16, Example 5.5]. However, if we require multiplicative er- 
ror {e.g., an (e, i5)-approximation), we show a simple reduction from disjointness 
that proves that a lower-bound of f2{N) communication bits is necessary for any 
such approximation protocol. See Section 6 for details. 

3 Preliminaries 

3.1 Private Matching (PM) 

A private matching (PM) scheme is a two-party protocol between a client 
(chooser) C and a server (sender) S. C’s input is a set of inputs of size kc, drawn 
from some domain of size N\ 5’s input is a set of size ks drawn from the same 
domain. At the conclusion of the protocol, C learns which specific inputs are 
shared by both C and S. That is, if C inputs X = {x\, . . . ,Xkc\ and S inputs 
Y = {yi, . . . , 2 /fes}, C learns Xf^Y■. {x„|3z;,x„ = y^} ^ PM(A, F). 

PM Variants. Some variants of the private matching protocol include the fol- 
lowing. (i) Private cardinality matching (PM^) allows C to learn how many 
inputs it shares with S. That is, C learns \X n Y\: |PM| 4— PMc(AT, F). (ii) 
Private threshold matching (PMj) provides C with the answer to the decisional 
problem whether \X n F| is greater than some pre-specified threshold t. That is, 
1 ^ PM((A, F) if PMc > t and 0 otherwise, (iii) Generalizing PM^ and PMj, 
one could define arbitrary private-matching protocols that are simple functions 
of the intersection set, i.e., based on the output of PM or PMc. 

Private Matching and Oblivious Transfer. We show a simple reduction 
from oblivious transfer (OT) to private matching. The OT protocol we design 
is a l-out-of-2 bit-transfer protocol in the semi-honest case. The sender’s input 
contains two bits bo,bi. The chooser’s input is a bit a. At the end of the protocol 
the chooser learns b„ and nothing else, while the sender learns nothing. 

First, the parties generate their respective PM inputs: The sender generates 
a list of two strings, {0|6o, Ij^i}, and the chooser generates the list {(t|0,(t| 1}. 
Then, they run the PM protocol, at the end of which the chooser learns a\ba- It 
follows by the results of Impagliazzo and Rudich [13] that there is no black-box 
reduction of private matching from one-way functions. 

® Informally, a private approximation is an approximation that does not leak informa- 
tion that is not computable given the exact value. See the definition in [10]. 
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Since the reduction is used to show an impossibility result, it is sufficient to 
show it for the simplest form of OT, as we did above. We note that if one actually 
wants to build an OT protocol from a PM primitive, it is possible to directly 
construct a 1-out-of-A^ bit transfer protocol. In addition, the PM-Semi-Honest 
protocol we describe supports OT of strings. 



3.2 Adversary Models 

This paper considers both semi-honest and malicious adversaries. Due to space 
constraints, we only provide the intuition and informal definitions of these mod- 
els. The reader is referred to [11] for the full definitions. 

Semi-honest adversaries. In this model, both parties are assumed to act 
according to their prescribed actions in the protocol. The security definition is 
straightforward, particularly as in our case where only one party (C) learns an 
output. We follow [18] and divide the requirements into (i) protecting the client 
and (ii) protecting the sender. 

The client’s security - indistinguishability: Given that the server S gets 

no output from the protocol, the definition of C’s privacy requires simply that the 
server cannot distinguish between cases in which the client has different inputs. 
The server’s security - comparison to the ideal model-. The definition 
ensures that the client does not get more or different information than the output 
of the function. This is formalized by considering an ideal implementation where 
a trusted third party (TTP) gets the inputs of the two parties and outputs the 
defined function. We require that in the real implementation of the protocol — 
that is, one without a TTP — the client C does not learn different information 
than in the ideal implementation. 

Malicious adversaries. In this model, an adversary may behave arbitrarily. 
In particular, we cannot hope to avoid parties (i) refusing to participate in the 
protocol, (ii) substituting an input with an arbitrary value, and (iii) prematurely 
aborting the protocol. The standard security definition (see, e.g., [11]) captures 
both the correctness and privacy issues of the protocol and is limited to the case 
in which only one party obtains an output. Informally, the definition is based 
on a comparison to the ideal model with a TTP, where a corrupt party may give 
arbitrary input to the TTP. The definition also is limited to the case where at 
least one of the parties is honest: if C (resp. S) is honest, then for any strategy 
that S (resp. C) can play in the real execution, there is a strategy that it could 
play in the ideal model, such that the real execution is computationally indis- 
tinguishable from execution in the ideal model. We note that main challenge in 
ensuring security is enforcing the protocol’s correctness, rather than its privacy. 



3.3 Cryptographic Primitives Homomorphic Encryption Schemes 

Our constructions use a semantically-secure public-key encryption scheme that 
preserves the group homomorphism of addition and allows multiplication by a 
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constant. This property is obtained by Paillier’s cryptosystem [20] and subse- 
quent constructions [21, 7]. That is, it supports the following operations that can 
be performed without knowledge of the private key: (i) Given two encryptions 
Enc(mi) and Enc(m2), we can efficiently compute Enc(mi -|-m2). (ii) Given some 
constant c belonging to the same group, we can compute Enc(cm). We will use 
the following corollary of these two properties: Given encryptions of the coef- 
ficients ao, . . . , Ofe of a polynomial P of degree fc, and knowledge of a plaintext 
value y, it is possible to compute an encryption of P{y)-^ 



4 The Semi-Honest Case 

4.1 Private Matching for Set Intersection (PM) 

The protocol follows the following basic structure. C defines a polynomial P 
whose roots are her inputs: 

ke 

P{y) = {xi - y){x2 - y) ■ ■ ■ {xkc -y) = Yl 

It— 0 

She sends to S homomorphic encryptions of the coefficients of this polynomial. 

5 uses the homomorphic properties of the encryption system to evaluate the 
polynomial at each of his inputs. He then multiplies each result by a fresh random 
number r to get an intermediate result, and he adds to it an encryption of the 
value of his input, i.e., S computes Enc(r • P{y) + y). Therefore, for each of 
the elements in the intersection of the two parties’ inputs, the result of this 
computation is the value of the corresponding element, whereas for all other 
values the result is random.^ See Protocol PM-Semi-Honest.® 



4.2 Efficiently Evaluating the Polynomial 

As the computational overhead of exponentiations dominates that of other op- 
erations, we evaluate the computational overhead of the protocol by counting 
exponentiations. Equivalently, we count the number of multiplications of the 

® We neglect technicalities that are needed to make sure the resulting ciphertext hides 
the sequence of homomorphic operations that led to it. This may be achieved, e.g., 
by multiplying the result by a random encryption of 1. 

^ This construction can be considered a generalization of the oblivious transfer proto- 
cols of [19, 1, 17]. In those, a client retrieving item i sends to the server a predicate 
which is 0 if and only if i = j where j € [A] . 

® It is sufficient for Step 3 of the protocol that C is able to decide whether some 
ciphertext corresponds to a; € X (i.e., decryption is not necessary). This weaker 
property is of use if, for example, one uses the El Gamal encryption scheme and 
encodes an element x by g^ (to allow the homomorphic properties under addition). 
This may prevent rP(y) -\- y from being recovered in the decryption process, yet 
it is easy for C to decide whether rP(y) + y = x. The Paillier [20] homomorphic 
encryption scheme recovers rP(y) + y. 




6 



Michael J. Freedman, Kobbi Nissim, and Benny Pinkas 



Protocol PM-Semi-Honest 

Input: C’s input is a set X = {xi, . . . ,Xkc}, 5’s input is a set P = {yi, . . . ,yks}- 
The elements in the input sets are taken from a domain of size N. 

1. C performs the following: 

(a) She chooses the secret-key parameters for a semantically-secure homo- 
morphic encryption scheme, and publishes its public keys and parame- 
ters. The plaintexts are in a field that contains representations of the N 
elements of the input domain, but is exponentially larger. 

(b) She uses interpolation to compute the coefficients of the polynomial 

P{y) = of degree kc with roots {xi, . . . ,Xkc)- 

(c) She encrypts each of the (kc + 1) coefficients by the semantically-secure 
homomorphic encryption scheme and sends to S the resulting set of 
ciphertexts, {Enc(o;o), . . . , Enc(o;fc,,)}. 

2. S performs the following for every y £Y , 

(a) He uses the homomorphic properties to evaluate the encrypted poly- 
nomial at y. That is, he computes Enc(P(y)) = Enc(X'^E,Qauy“). See 
Section 4.2. 

(b) He chooses a random value r and computes Ev\c(rP(y) -|- y). (One can 
also encrypt some additional payload data py by computing Er\c(rP(y) + 
(y\Py))- C obtains py iff y is in the intersection.) 

He randomly permutes this set of ks ciphertexts and sends the result back 

to the client C. 

3. C decrypts all ks ciphertexts received. She locally outputs all values x £ X 

for which there is a corresponding decrypted value . 



homomorphically-encrypted values by constants (in Step 2(a)), as these multi- 
plications are actually implemented as exponentiations. 

Given the encrypted coefficients Enc(a„) of a polynomial P, a naive compu- 
tation of Enc(P(y)) as Enc(^^(lg y^cxu) results in an overhead of 0(kc) exponen- 
tiations, and hence in a total of 0(kcks) exponentiations for PM-Semi-Honest. 

The computational overhead can be reduced by noting that the input domain 
is typically much smaller than the modulus used by the encryption scheme. 
Hence one may encode the values x, y as, numbers in the smaller domain. In 
addition, Horner’s rule can be used to evaluate the polynomial more efficiently 
by eliminating large exponents. This yields a significant (large constant factor) 
reduction in the overhead. 

We achieve a more significant reduction of the overhead by allowing the 
client to use multiple low-degree polynomials and then allocating input values 
to polynomials by hashing. This results in reducing the computational overhead 
to 0(kc + fc^lnlnfcc) exponentiations. Details follow. 

Exponents from a small domain. Let A be the security parameter of the 
encryption scheme (e.g., A is the modulus size). A typical choice is A = 1024 
or larger. Yet, the input sets are usually of size <C 2^ and may be mapped 
into a small domain — of length n « 2 log(max(A:c, fcs)) bits — using pairwise- 
independent hashing, which induces only a small collision probability. The server 
should compute Enc(P(?/)), where y is n bits long. 
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Using Horner’s rule. We get our first overhead reduction by applying Horner’s 

rule: P{y) = no + aiy + a 2 y^ + h ctkcy’^^ is evaluated “from the inside out” 

as ao + y{ai + y{a 2 + y{a^ + • • • y{akc-i + yockc ) ' ' ' )))• One multiplies each 
intermediate result by a short y, compared with y* in the naive evaluation, 
which results in kc short exponentiations. 

When using the “text book” algorithm for computing exponentiations, the 
computational overhead is linear in the length of the exponent. Therefore, 
Horner’s rule improves this overhead by a factor of A/n (which is about 50 
for kc,ks « 1000). The gain is substantial even when fine-tunes exponentiation 
algorithms — such as Montgomery’s method or Karatsuba’s technique — are used. 

Using hashing for bucket allocation. The protocol’s main computational 
overhead results from the server computing polynomials of degree kc- We now 
reduce the degree of these polynomials. For that, we define a process that throws 
the client’s elements into B bins, such that each bin contains at most M elements. 

The client now defines a polynomial of degree M for each bin: All items 
mapped to the bin by some function h are defined to be roots of the polynomial. 
In addition, the client adds the root a; = 0 to the polynomial, with multiplicity 
which sets the total degree of the polynomial to M. That is, if h maps £ items 
to the bin, the client first defines a polynomial whose roots are these £ items, 
and then multiplies it by x^~^. (We assume that 0 is not a valid input.) The 
process results in B polynomials, all of them of degree M, that have a total of 
kc non-zero roots. 

C sends to S the encrypted coefficients of the polynomials, and the mapping 
from elements to bins.® For every y € Y, S finds the bins into which y could be 
mapped and evaluates the polynomial of those bins. He proceeds as before and 
responds to C with the encryptions rP{y) + y for every possible bin allocation 
for all y. 

Throwing elements into bins balanced allocations. We take the map- 
ping from elements to bins to be a random hash function h with a range of size 
B, chosen by the client. Our goal is to reduce M, the upper bound on the number 
of items in a bin. It is well known that if the hash function h maps each item 
to a random bin, then with high probability (over the selection of h), each bin 
contains at most kc / B + 0{\J {kc / B) log H-|-log H) elements. A better allocation 
is obtained using the balanced allocation hashing by Azar et al. [2]. The function 
h now chooses two distinct bins for each item, and the item is mapped into the 
bin which is less occupied at the time of placement. In the resulting protocol, 
the server uses h to locate the two bins into which y might have been mapped, 
evaluates both polynomials, and returns the two answers to C. 

Theorem 1 . 1 of [2] shows that the maximum load of a bin is now exponentially 
smaller: with 1 — o(l) probability, the maximum number of items mapped to a 
bin is M = (1 -|- o(l)) In In H/ In 2 -|- 6>(fcc/-S)- Setting B = kc/lnlnkc, we get 
M = 0(lnlnA:c). 

® For our purposes, it is sufficient that the mapping is selected pseudo-randomly, either 
jointly or by either party. 
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A note on correctness and on constants. One may worry about the case 
that C is unlucky in her choice of h such that more than M items are mapped to 
some bin. The bound of [2] only guarantees that this happens with probability 
o(l). However, Broder and Mitzenmacher [4] have shown that asymptotically, 
when we map n items into n bins, the number of bins with i or more items 
falls approximately like 2“^ ® . This means that a bound of M = 5 suffices with 
probability 10“®®. Furthermore, if the hashing searches for the emptiest in three 
bins, then M = 3 suffices with probability of about 10“®®. The authors also 
provide experimental results that confirm the asymptotic bound for the case of 
n = 32, 000. We conclude that we can bound Inin kc by a small constant in our 
estimates of the overhead. Simple experimentation can provide finer bounds. 

Efficiency. The communication overhead, and the computation overhead of 
the client, are equal to the total number of coefficients of the polynomials. This 
number, given by B ■ M, is 0{kc) if B = kc/lnlnkc- If k < 2^®, then using 
B = kc bins implies that the communication overhead is at most 4 times that 
of the protocol that does not use hashing. 

The server computes, for each item in his input, M exponentiations with a 
small exponent, and one exponentiation with a full-length exponent (for com- 
puting r-P{y)). Expressing this overhead in terms of full-length exponentiations 
yields an overhead of 0{ks + ks for B = fcc/lnlnfcc- In practice, the 

overhead of the exponentiations with a small exponent has little effect on the 
total overhead, which is dominated by ks full-length exponentiations. 



4.3 Security of PM-Semi-Honest 

We state the claims of security for PM in the semi-honest model. 

Lemma 1 (Correctness). Protocol PM-Semi-Honest evaluates the PM func- 
tion with high probability. 

(The proof is based on the fact that the client receives an encryption of y for 
y G X nY, and an encryption of a random value otherwise.) 

Lemma 2 (C’s privacy is preserved). If the encryption scheme is semanti- 
cally secure, then the views of S for any two inputs of C are indistinguishable. 

(The proof uses the fact that the only information that S receives consists of 
semantically-secure encryptions . ) 

Lemma 3 (5’s privacy is preserved). For every client C* that operates in 
the real model, there is a client C operating in the ideal model, such that for every 
input Y of S, the views of the parties C,S in the ideal model is indistinguishable 
from the views of C* ,S in the real model. 

(The proof defines a polynomial whose coefficients are the plaintexts of the 
encryptions sent by C* to S. The kc roots of this polynomial are the inputs that 
C sends to the trusted third party in the ideal implementation.) 
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Security of the hashing-based protocol. Informally, the hashing-based pro- 
tocol preserves C’s privacy since (i) S still receives semantically-secure encryp- 
tions, and (ii) the key is chosen independently of C’s input. Thus, neither the key 
nor h reveal any information about X to S. The protocol preserves 5’s privacy 
since the total number of non-zero roots of the polynomials is kc ■ 



4.4 Variant: Private Matching for Set Cardinality (PMe) 

In a protocol for private cardinality matching, C should learn the cardinality of 
X nY, but not the actual elements of this set. S needs only slightly change 
his behavior from that in Protocol PM-Semi-Honest to enable this functionality. 
Instead of encoding y in Step 2(b), S now only encodes some “special” string, 
such as a string of O’s, i.e., S computes Enc(rP(y) -|- 0+). In Step 3 of the 
protocol, C counts the number of ciphertexts received from S that decrypt to 
the string O'*" and locally outputs this number c. The proof of security for this 
protocol trivially follows from that of PM-Semi-Honest. 



4.5 Variants: Private Matching for Cardinality Threshold (PM*) 
and Other Functions 

In a protocol for private threshold matching, C should only learn whether c = 
|Vn V| > t. To enable this functionality, we change PM-Semi-Honest as follows, 
(i) In Step 2(b), S encodes random numbers instead of y in PM (or O'*' in PM^). 
That is, he computes Er\c{rP{y) + ry), for random ry. (ii) Following the basic PM 
protocol, C and S engage in a secure circuit evaluation protocol. The circuit takes 
as input ks values from each party: C’s input is the ordered set of plaintexts she 
recovers in Step 3 of the PM protocol. 5’s input is the list of random payloads he 
chooses in Step 2(b), in the same order he sends them. The circuit first computes 
the equality of these inputs bit-by-bit, which requires fc^A' gates, where A' is a 
statistical security parameter. Then, the circuit computes a threshold function 
on the results of the ks comparisons. 

Hence, the threshold protocol has the initial overhead of a PM protocol plus 
the overhead of a secure circuit evaluation protocol. Note, however, that the 
overhead of circuit evaluation is not based on the input domain of size N . Rather, 
it first needs to compute equality on the input set of size ks , then compute some 
simple function of the size of the intersection set. In fact, this protocol can be 
used to compute any function of the intersection set, e.g., check if c within some 
range, not merely the threshold problem. 



5 Security against Malicious Parties 

We describe modifications to our PM protocol in order to provide secu- 
rity in the malicious adversary model. Our protocols are based on protocol 
PM-Semi-Honest, optimized with the balanced allocation hashing. 
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We first deal with malicious clients and then with malicious servers. Finally, 
we combine these two protocols to achieve a protocol in which either party may 
behave adversarially. We take this non-standard approach as: (i) It provides 
conceptual clarity as to the security concerns for each party; (ii) These protocols 
may prove useful in varying trust situations, e.g., one might trust a server but 
not the myriad clients; and (iii) The client protocol is secure in the standard 
model, while the server protocol is analyzed in the random oracle model. 



Protocol PM-Malicious-Client 

Input: C has input X of size kc, and S has input Y of size ks, as before. 

1. C performs the following: 

(a) She chooses a key for a pseudo-random function that realizes the bal- 
anced allocation hash function h, and she sends it to S. 

(b) She chooses a key s for a pseudo-random function F and gives each 
item X in her input X a new pseudo-identity, Fs{G{x)), where G is a 
collision-resistant hash function. 

(c) For each of her polynomials, C first sets roots to the pseudo-identities of 
such inputs that were mapped to the corresponding bin. Then, she adds 
a sufficient number of 0 roots to set the polynomial’s degree to M. 

(d) She repeats Steps (b),(c) for L times to generate L copies, using a dif- 
ferent key s for F in each iteration. 

2. S asks C to open L/2 of the copies. 

3. C opens the encryptions of the coefficients of the polynomials for these L/2 
copies to iS, but does not reveal the associated keys s. Additionally, C sends 
the keys s used in the unopened L/2 copies. 

4. S verifies that the each opened copy contains fee roots. If this verification 
fails, S halts. Otherwise, S uses the additional L/2 keys he receives, along 
with the hash function G, to generate the pseudo-identities of his inputs. 
He runs the protocol for each of the polynomials. However, for an input y, 
rather than encoding y as the payload for each polynomial, he encodes L/2 
random values whose exclusive-or is y. 

5. C receives the results, organized as a list of ks sets of size L/2. She decrypts 
them, computes the exclusive-or of each set, and compares it to her input. 



5.1 Malicious Clients 

To ensure security against a malicious client C, it must be shown that for any 
possible client behavior in the real model, there is an input of size kc that the 
client provides to the TTP in the ideal model, such that his view in the real 
protocol is efficiently simulatable from his view in the ideal model. 

We first describe a simple solution for the implementation that does not use 
hashing. We showed in Lemma 3 that if a value y is not a root of the polynomial 
sent by the client, the client cannot distinguish whether this item is in the 
server’s input. Thus, we have to take care of the possibility that C sends the 
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encryption of a polynomial with more than kc roots. This can only happen if all 
the encrypted coefficients are zero (P’s degree is indeterminate). We therefore 
modify the protocol to require that at least one coefficient is non-zero - in Step 
1(b) of Protocol PM-Semi-Honest, C generates the coefficients of P with ag set 
to 1, then sends encryptions of the other coefficients to S. 

In the protocol that uses hashing, C sends encryptions of the coefficients of 
B polynomials (one per bin), each of degree M. The server must ensure that 
the total number of roots (different than 0) of these polynomials is kc ■ For that 
we use a cut-and-choose method, as shown in Protocol PM-Malicious-Client. 
With overhead L times that of the original protocol, we get error probability 
that is exponentially small in L. 

Proof, (sketch) In our given cut-and-choose protocol, note that C learns about 
an item iff it is a root of all the P/2 copies evaluated by S. Therefore, to learn 
about more than kc items, she must have P/2 copies such that each has more 
than kc roots. The probability that all such polynomials are not checked by S 
is exponentially small in P. This argument can be used to show that, for every 
adversarial C* whose success probability is not exponentially small, there is a 
corresponding C in the ideal model whose input contains at most kc items. 



5.2 Malicious Servers 

Protocol PM-Semi-Honest of Section 4 enables a malicious server to attack the 
protocol correctness.^^ He can play tricks like encrypting the value r • {P{y) + 
P{y')) + y” in Step 2(b), so that C concludes that y” is in the intersection set iff 
both y and y' are X. This behavior does not correspond to the definition of PM 
in the ideal model. Intuitively, this problem arises from S using two “inputs” in 
the protocol execution for input y — a value for the polynomial evaluation, and 
a value used as a payload — whereas S has a single input in the ideal model. 

We show how to modify Protocol PM-Semi-Honest to gain security against 
malicious servers. The protocol based on balanced allocations may be modified 
similarly. Intuitively, we force the server to run according to its prescribed proce- 
dure. Our construction, PM-Malicious-Server, is in the random oracle model. 

The server’s privacy is preserved as in PM-Semi-Honest: The pair (e,h) is 
indistinguishable from random whenever P{y) yf 0. The following lemma shows 
that the client security is preserved under malicious server behavior. 



In the proof, the pseudo-random function F hides from S the identities of the values 
corresponding to the roots of the opened polynomials. The collision-resistant hash 
function G prevents C from setting a root to which S maps two probable inputs. 

He cannot affect C’s privacy as all the information C sends is encrypted via a 
semantically-secure encryption scheme. 

Actually, the number of “inputs” is much higher, as S needs to be consistent in using 
the same y for all the steps of the polynomial-evaluation procedure. 
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Protocol PM-Malicious-Server 

Input: C has input X of size ke, and S has input Y of size ks, as before. 

Random Oracles: Hi,H2. 

1. C performs the following: 

(a) She chooses a secret-key /public-key pair for the homomorphic encryption 
scheme, and sends the public-key to S. 

(b) She generates the coefficients of a degree kc polynomial P whose roots 
are the values in X. She sends to S the encrypted coefficients of P. 

2. S performs the following for every y £Y , 

(a) He chooses a random s and computes r = H\{s). We use r to “deran- 
domize” the rest of <S’s computation for y, and we assume that it is of 
sufficient length. 

(b) He uses the homomorphic properties of the encryption scheme to com- 
pute (e,h) ^ (Enc(r' • P{y) -|- s), H^ir" ,y)). In this computation, r is 
parsed to supply r' ,r" and all the randomness needed in the computa- 
tion. 

S randomly permutes this set of ks pairs and sends it to C. 

3. C decrypts all the ks pairs she received. She performs the following operations 

for every pair (e, h), 

(a) She decrypts e to get a and computes r = Hi{s). 

(b) She checks whether, for some x & X, the pair (e, h) is consistent with x 
and a. That is, whether the server yields (e, h) using her encrypted coef- 
ficients on y ■!— X and randomness f. If so, she puts x in the intersection 
set. 



Lemma 4 (Security for the client). For every server S* that operates in the 
real model, there is a server S operating in the ideal model, such that the views 
of the parties C,S in the ideal model is computationally indistinguishable from 
the views ofC,S* in the real model. 

Proof, (sketch) We describe how S works. 

1. S generates a secret-key/public-key pair for the homomorphic encryption 
scheme, chooses a random polynomial P{y) of degree kc and gives S* his 
encrypted coefficients. Note that S* does not distinguish the encryption of 
P{y) from the encryption of any other degree kc polynomial. 

2. S records all the calls S* makes to the random oracles Pli, H2. Let S be the 
set of input values to iLi and Y be the set of y input values to Pf2. 

3. For every output pair (e, h) oiS* , S checks whether it agrees with some s G S 
and y &Y. We call such a pair a consistent pair. That is, S checks that (i) e 
is a ciphertext resulting from applying the server’s prescribed computation 
using the encrypted coefficients, the value y, and randomness r'; and (ii) 
h = H2{r" ,y), where r' ,r" and the randomness in the computation are 
determined by Hi{s). If such consistency does occur, S sets y = y, otherwise 
it sets y =_L. 

4. S sends the values y it computed to the TTP, and S outputs the same output 
as S* in the real model. 
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It is easy, given the view of S*, to decide whether a pair is consistent. As S* 
cannot distinguish the input fed to it by S from the input it receives from C in 
the real execution, we get that S*'s distributions on consistent and inconsistent 
pairs, when run by the simulator and in the real execution, are indistinguishable. 

Whenever (e, h) forms an inconsistent pair, giving an invalid symbol _L as 
input to the TTP does not affect its outcome. Let (e, h) be a consistent pair, 
and let y be the value that is used in its construction. In the real execution, 
y € X would result in adding y to the intersection set, and this similarly would 
happen in the simulation. The event that, in the real execution, an element x ^ y 
would be added to the intersection set occurs with negligible probability. 

We get that the views of the parties C, 5 in the ideal model is computationally 
indistinguishable from the views oiC,S* in the real model, as required. 



5.3 Handling Both Malicious Clients and Servers 

We briefly describe how to combine these two schemes yield a PM protocol 
fully secure in the malicious model. We leave the detailed description to the full 
version of this paper. 

C generates B bins as before; for each bin Bi, she generates a polynomial of 
degree M with P{z) = 0, where z G Bi if it is (1) mapped to Bi by our hashing 
scheme (for z = Fs{G{x)) for x G X) or (2) added as needed to yield M items. 
The latter should be set outside the range of Fg. For each polynomial, C prepares 
L copies and sends their commitments to S. 

Next, S opens the encryptions of L/2 copies and verifies them. If verification 
succeeds, S opens the Fg used in the other L/2 copies. He chooses a random s, 
splits it into L/2 shares, and then acts as in PM-Malicious-Server, albeit using 
the random shares as payload, Hi(s) as randomness, and appending Fl 2 {r" ,y). 

Finally, C receives a list of the unopened L/2 copies. For each, she computes 
candidates for s’s shares and recovers s from them. She uses a procedure similar 
to PM-Malicious-Server to check the consistency of the these L/2 shares. 



6 Approximating Intersection 

In this section, we focus on a problem related to private matching: set intersection 
and its approximation. Assume C and S hold strings X and Y respectively, 
where \X\ = |y| = N. Define Intersect(A, T) = |{z : Xi = Yi}\. Equivalently, 
Intersect(A, y) is the scalar product of X,Y. Let 0 < e, i5 be constants. An 
(e, (5)-approximation protocol for intersection yields, on inputs A, Y, a value a 
such that Pr[(l — e)a < d < (l + e)a] >1 — 5 where a= |Any|. The probability 
is taken over the randomness used in the protocol. 

A lower bound. Let 0 < 77 < A. It is easy to see that an (e, 5)-approximation 
may be used for distinguishing the cases \X r\Y\ < rj and |Any| >? 7 (l + e)^, 
as (with probability 1 — 5) its output is less than 77(1 + e) in the former case and 
greater than 77(1 + e) in the latter. 
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Protocol Private-Sample-_B 

Input: C and S hold A^'-bit strings X, Y , respectively. 

1. C picks a random mask me £r {0, 1} and shift amount re £r [X]. She 
computes the X-bit string X' = (X ^ re)® me {i.e., she shifts X cyclicly rc 
positions and XORs every location in the resulting string with me). Similarly, 
S picks ms, rs and computes Y' = (Y << rs) ® ms- 

2. C and S invoke two ('^)-OT protocols where C retrieves sc = Y^.^ and S 
retrieves ss = X'-^^ . 

3. C computes Too = B{mc,ss),Toi = B{mc,ss © l),rio = B{mc © 
1, ss). Til = B{mc © 1, ss © 1). 

4. C and S invoke a (j)-OT protocol where S retrieves S sends Tmg,ag 

back to C. 



A protocol that distinguishes | X n F | < rj and |XnF| >? 7 (l + e) may be used 
for deciding disjointness, as defined in Section 2. Given inputs a, b of length m for 
DiSJ, C sets her input to be X = {i.e., 77 ones followed by (2e + e ^)?7 

copies of a). Similarly, S sets Y = The length of these new inputs 

is X = |X| = |F| = ?7 + (2e + e^)rjm bits. Note that if a,b are disjoint, then 
|XnF| = 77 ; otherwise, |XnF| > 77 ( 1 + e)^. Hence, for constant e, it follows that 
the randomized communication complexity of distinguishing the two cases is at 
least Q{m) = n{N/rj). By setting 77 to a constant, we get that the randomized 
communication complexity of an (e, i5) approximation for Intersect is 0{N). 

A private approximation protocol for intersection. We describe a proto- 
col for the semi-honest case. Informally, a protocol realizes a private approxima- 
tion to a function f{X,Y) if it computes an approximation to f{X,Y) and does 
not leak any information that is not efficiently computable from f{X,Y). This 
is formulated by the requirement that each party should be able to simulate her 
view given her input and f{X,Y). We refer the reader to [10] for the formal 
definition. 

Our building block - protocol Private-Sample-i?- is a simple generalization 
of the private sampler of [10]. Private-Sample-H samples a random location £ 
and checks if a predicate B holds on {Xg, Y)). The location £ is shared by C and S 
as £ = rc+rs (mod N), with each party holding one of the random shares rc, rs 
at the end of Step 1. Step 2 results in C and S holding random shares of Xi = 
me 0 Ss and Yi = ms © sc- Finally, both parties learn B{mc 0 sc, ms (B ss) = 
B{Xi,Yt). 

It is easy to see that the views of C and S in Protocol Private-Sample- i? 
are simulatable given u = jjt : B{Xi,Yy)'\\. It follows that any approximation 
based on the outcome of the protocol is a private approximation for v. 

The communication costs of Private-Sample- i? are dominated by the cost of 
the ('^)-OT protocol in use. Naor and Pinkas [19] showed how to combine a ('^)- 
OT protocol with any computational PIR scheme, under the DDH assumption. 
Combining this result with PIR scheme of Cachin et al. [5] (or of Kiayias and 
Yung [15]) results in A polylog(X) communication, for security parameter A. 
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Our protocol Intersect-Approx repeatedly invokes Private-Sample-i? with 
B(a,P) = a/\(3, for a maximum of M invocations. We call an invocation positive 
if it concludes with B evaluated as 1. If T invocations occur int < M rounds, the 
protocol outputs T/t and halts. Otherwise (after M invocations) the protocol 
outputs 0 and halts. 

The random variable t is the sum of T independent geometric random vari- 
ables. Hence, E[t] =T/p and Var[t] = T(1 — p)!p^, where p = v/N. Using the 



Chebyshev Inequality, we get that Pr \t—T/p\ > jiTjp < j 



< 



^ 5 ^. Let [3 = taking T = ensures that, if T positive invocations occur, 
then the protocol’s output is within (1 — e);^ and (1 -I- e);^, except for 5/2 prob- 
ability. To complete the protocol, we set M = A^(ln<5 -I- 1) so that if u 0, the 
probability of not having T positive invocations is at most 5/2. 

Note that the number of rounds in protocol Intersect-Approx is not fixed, 
and depends on the exact intersection size v. The protocol is optimal in the sense 
that it matches the lower-bound for distinguishing inputs with intersection size 
k from inputs with intersection size fc(l -l-e) in an expected 0{N/k) invocations 
of Private-Sample-H. 



Caveat. As the number of rounds in our protocol is a function of its outcome, 
an observer that only counts the number of rounds in the protocol, or the time 
it takes to run it, may estimate its outcome. The problem is inherent in our 
security definitions — both for semi-honest and malicious parties — as they only 
take into account the parties that “formally” participate in the protocol (unlike, 
e.g., in universal composability [6]). In particular, these definitions allow for any 
information that is learned by all the participating parties to be sent in the 
clear. While it may be that creating secure channels for the protocol {e.g., using 
encryption) prevents this leakage in many cases, this is not a sufficient measure 
in general nor specifically for our protocol (as one must hide the communication 
length of Intersect-Approx). 



7 The Multi-party Case 

We briefly discuss computing the intersection in a multi-party environment. As- 
sume that there are n parties, Pi,...,P„, with corresponding lists of inputs 
Xi,. . . , Xn', w.l.o.g., we assume each list contains k inputs. The parties compute 
the intersection of all n lists. We only sketch a protocol for semi-honest par- 
ties, starting with a basic protocol that is secure with respect to client parties 
Pi, ... , P„_i and then modifying it get security with respect to all parties. 

A strawman protocol. Let client parties Pi, ... , Pn-i each generate a poly- 
nomial encoding their input, as for Protocol PM-Semi-Honest in the two-party 
case. Each client uses her own public key and sends the encrypted polynomials 
to P„, which we refer to as the leader. This naming of parties as clients and the 
leader is done for conceptual clarity. 

For each item y in his list, leader P„ prepares (n— 1) random shares that 
XOR to y. He then evaluates the (n— 1) polynomials he received, encoding the 
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Zth share of y as the payload of the evaluation of the ^th polynomial. Finally, 
he publishes a shuffled list of (n— l)-tuples. Each tuple contains the encryptions 
that the leader obtained while evaluating the polynomials on input y, for every 
y in his input set. Note that every tuple contains exactly one entry encrypted 
with the key of client P/, for 1 < ^ < n— 1. 

To obtain the outcome, each client Pi decrypts the entries that are encrypted 
with her public key and publishes them. If XOR-ing the decrypted values results 
in y, then y is in the intersection. 

Achieving security with respect to semi-honest parties. This strawman 
approach is flawed. The leader P„ generates the shares that the clients decrypt. 
Hence, he may recognize, for values y in his set but not in the intersection, which 
clients also hold y: these clients, and only these clients, would publish the right 
shares. We can fix this problem by letting each client generate k sets of random 
shares that XOR to zero (one set for each of the leader’s inputs). Then, each 
client encrypts one share from each set to every other client. Finally, the clients 
publish the XOR of the original share from the leader with the new shares from 
other clients. If y is in the intersection set, then the XOR of all published values 
for each of the leader’s k inputs is still y, otherwise it looks random to any 
coalition. More concretely, the protocol for semi-honest parties is as follows. 

1. A client party Pi, for 1 < z < n— 1, operates as in the two-party case. She 

generates a polynomial Qi of degree k encoding her inputs, and generates ho- 
momorphic encryptions of the coefficients (with her own public key) . Pi also 
chooses k sets of n — 1 random numbers, call these {sj ^, . . . , s* We 

can view this as a matrix with k rows and (n— 1) columns: Each column cor- 
responds to the values given to party Pi; each row corresponds to the random 
numbers generated for one of the leader’s inputs. This matrix is chosen such 
that the XOR of each row sums to zero, i.e., for j = l . . .k, = 0. 

For each column I, she encrypts the corresponding shares using the public 
key of client P; . She sends all her encrypted data to a public bulletin board 
(or just to the leader who acts in such a capacity). 

2. For each item y in his list X„ (the rows), leader P„ prepares (n— 1) random 

shares ay^i (one for each column), where Cy^i = y. Then, for each of 

the k elements of the matrix column representing client P; , he computes the 
encryption of (jy^i • Qi{y) + cfy^i) using P/’s public key and a fresh random 
number r^^;. In total, the leader generates k tuples of (n— 1) items each. He 
randomly permutes the order of the tuples and publishes the resulting data. 

3. Each client P/ decrypts the n entries that are encrypted with her public 
key: namely, the Zth column generated by P„ (of k elements) and the (n— 1) 
Rh columns generated by clients (each also of k elements). Pi computes the 
XOR of each row in the resulting matrix: (0”lj s* ;) 0 aj^i. She publishes 
these k results. 

4. Each Pi checks if the XOR of the (n— 1) published results for each row is equal 
to a value y in her input: If this is the case, ©;rl((©r=l4*)®'^p) = y. 
and she concludes that y is in the intersection. 
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Intuitively, the values output by each client (Step 3) appear random to the 
leader, so he cannot differentiate between the output from clients with y in their 
input and those without, as he could in the strawman proposal. 

Note that the communication involves two rounds in which Pi, .. . Pn-i sub- 
mit data, and a round where Pn submits data. This is preferable to protocols 
consisting of many rounds with communication. The computation overhead 
of Pn can be improved by using the hashing-to-bins method of Section 4.2. 

8 Fuzzy Matching and Fuzzy Search 

In many applications, database entries are not always accurate or full {e.g., due 
to errors, omissions, or inconsistent spellings of names). In these cases, it would 
be useful to have a private matching algorithm that reports a match even if two 
entries are only similar. 

We let each database entry be a list of T attributes, and consider X = 
{x \, . . . , xt) and Y = (j/i, . . . , j/t) similar if they agree on (at least) t < T at- 
tributes. One variant is fuzzy search, where the client specifies a list of attributes 
and asks for all the database entries that agree with at least t of the attributes. 
This may be achieved by a simple modification of our basic PM-Semi-Honest 
protocol, by letting the server reply with the encryptions of Vi ■ Pi{yi) + Si, where 
t shares of si, . . . , st are necessary and sufficient for recovering Y . This fuzzy 
search scheme may be used to compare two “databases” each containing just 
one element comprised of many attributes. 

The protocol may be modified to privately compute fuzzy matching in larger 
databases, e.g., when a match is announced if entries agree on t out of T at- 
tributes. In this section, we present a scheme, in the semi-honest model, that 
considers a simple form of this fuzzy private matching problem. 

A 2-out-of-3 fuzzy matching protocol A client C has kc 3-tuples 
Xi,..., Xkc ■ Let Pi,P 2 , Pd, be polynomials, such that Pj is used to encode the 
jth element of the three tuple, Xf, for 1 < i < kc- For all i, let C choose a new 
random value Ri and set Ri = Pi{Xl) = P 2 {Xf) = P 2 {Xf). In general, the 
degree of each such polynomial is kc, and therefore, two non-equal polynomials 
can match in at most kc positions. C sends (Pi, P 2 , Pd) to S as encrypted coeffi- 
cients, as earlier. The server S, for every three-tuple Yi in his database of size ks, 
responds to C in a manner similar to Protocol PM-Semi-Honest: He computes 
the encrypted values r(Pi(T/) — P 2 {Y^)) + Yi, r'{Pi{Yi) — P^i{Yi)) + Yi, and 
r"(Pi(yd) — P^{Y^)) + Yi. If two elements in Yi are the same as those in Xi, the 
client receives Yi in one of the entries. 

We leave as open problems the design of more efficient fuzzy matching pro- 
tocols (without incurring a (^) factor in the communication complexity) and of 
protocols secure in the malicious model. 
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Abstract. Informally, an obfuscator O is an efficient, probabilistic “compiler” 
that transforms a program P into a new program 0{P) with the same functional- 
ity as P, hut such that 0{P) protects any secrets that may he huilt into and used 
hy P. Program obfuscation, if possible, would have numerous important cryp- 
tographic applications, including: (1) “Intellectual property” protection of secret 
algorithms and keys in software, (2) Solving the long-standing open problem of 
homomorphic public-key encryption, (3) Controlled delegation of authority and 
access, (4) Transforming Private-Key Encryption into Public-Key Encryption, 
and (5) Access Control Systems. Unfortunately however, program obfuscators 
that work on arbitrary programs cannot exist [1]. No positive results for program 
obfuscation were known prior to this work. 

In this paper, we provide the first positive results in program obfuscation. We 
focus on the goal of access control, and give several provable obfuscations for 
complex access control functionalities, in the random oracle model. Our results 
are obtained through non-trivial compositions of obfuscations; we note that gen- 
eral composition of obfuscations is impossible, and so developing techniques for 
composing obfuscations is an important goal. Our work can also be seen as mak- 
ing initial progress toward the goal of obfuscating finite automata or regular ex- 
pressions, an important general class of machines which are not ruled out by the 
impossibility results of [1]. We also note that our work provides the. first formal 
proof techniques for obfuscation, which we expect to be useful in future work in 
this area. 



1 Introduction 

Software Obfuscation is an important cryptographic concept with wide applications. 
However until recently there was little theoretical investigation of obfuscation, despite 
the great success theoretical cryptography has had in tackling other challenging notions 
of security. 

Roughly speaking, the goal of (program) obfuscation is to hide the secrets inside 
a program while preserving its functionality. Ideally, an obfuscated program should 
be a “virtual black box,” in the sense that anything one can compute from it could 
also be computed from the input-output behavior of the program. To be clear (but still 
informal), an obfuscator O is an efficient, probabilistic “compiler” that transforms a 
program P into a new program 0{P) such that: 
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- (Functionality Preservation.) The input/output behavior of 0{P) is the same 
as P. 

- (Secrecy.) “Anything that can be efficiently computed from 0{P) can be efficiently 
computed given oracle access to P.” 

This second property seeks to formalize the notion that all aspects of P which are not 
obvious from its input/output behavior should be hidden by 0{P). By considering the 
problem of obfuscation restricted to specific classes of interesting programs, one can 
further specify exactly what needs to be hidden by the obfuscation, and what doesn’t 
need to be^. 

Program obfuscation, if possible, would have numerous imporlanl cryptographic 
applications, including: (1) “Intellectual property’’ protection of secret algorithms and 
keys in software, (2) Solving the long-standing open problem of homomorphic public- 
key encryption, (3) Controlled delegation of authority and access, and (4) Transforming 
Private-Key Encryption into Public-Key Encryption. (See [1] for more discussion.) We 
discuss another important application, access control, in more detail below. 

Barak, Goldreich, Impagliazzo, Rudich, Sahai, Vadhan, and Yang [1] initiated the 
formal cryptographic study of obfuscation, and established several important impos- 
sibility results (which we discuss further below). There have been many ad-hoc ap- 
proaches to program obfuscation (see e.g. [3]); Many of these have been broken (e.g. [4] 
broken by [7]), and none of these have proofs of their security properties. Proven results 
are known only in models where the adversary has only partial access to the obfuscated 
program or circuit [5,6]. 

In this paper, we provide the first positive results in program obfuscation. We fo- 
cus on the goal of access control, and give several provable obfuscations for complex 
access control functionalities, in the random oracle model. Our results are obtained 
through non- trivial compositions of obfuscations; we note that general composition of 
obfuscations is impossible, and so developing techniques for composing obfuscations 
is an important goal. Our work can also be seen as making initial progress toward the 
goal of obfuscating finite automata or regular expressions, an important general class of 
machines which are not ruled out by the impossibility results of [1]. We also note that 
our work provides the^r^t formal proof techniques for obfuscation, which we expect to 
be useful in future work in this area. 

Context for our work. In order to understand the challenge of program obfuscation, we 
first recall the impossibility results of [1]. Their central construction demonstrates the 
existence of a particular family ^ of programs, for which no obfuscator can exist. More 
precisely, every function in has an associated secret key such that: (1) no efficient 
algorithm can extract the secret key given the input/output functionality of a random 
function from (2) however, there exists an adversary which can always extract the 

^ In general, one can define a class of programs parametrized by the secrets which are meant 
to be protected by the obfuscation. For instance, for a program P which sorts the input and 
then signs it using a secret signature key sk, one can define a program class = {Psk '■ 
P using key sfc}. An obfuscator for ^ would then only be required to protect the secret key; 
it would not be required, for example, to protect the exact nature of the sorting algorithm, since 
this is the same for all programs in 
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secret key given any program which implements a function in There are several 
important observations to be made: 

- The program family ^ consists of programs which have inputs and outputs of 
bounded length. Under a widely believed complexity assumption (factoring Blum 
integers is hard), ^ can implemented by constant-depth polynomial- size threshold 
circuits (i.e. ^ C TC°). Furthermore, ^ can be embedded into specific construc- 
tions of most cryptographic primitives, thus ruling out obfuscators that work on, 
say, any signature scheme. 

- If the obfuscated program runs in time T, the adversary which extracts the secret 

key runs in time roughly only Note also that the adversary’s probability of 

success is 1. 

- The impossibility result (with all the properties above) extends to the random oracle 
model. 

The above properties highlight the difficulty of obtaining any general methods for ob- 
fuscation: Because the adversary runs quickly and always succeeds in extracting the 
secret key (and the impossibility result holds in the random oracle model), there seems 
little hope to relax our security requirement: General purpose obfuscation under any 
meaningful relaxed secrecy definition'* would seem to find a counterexample in 

This has consequences for the techniques we can hope to develop to build and prove 
obfuscations. One of the most useful techniques we could hope for is composition. 
However, note that any single logic gate is trivially obfuscatable; indeed even a depth 1 
threshold circuit (TCj) is trivially obfuscatable since it is learnable with oracle queries. 
Obviously, an arbitrary circuit can be built from a composition of logic gates; and any 
TCo circuit can be built from just a constant number of compositions of TCj cir- 
cuits. Thus, no general theorem showing how to compose even a constant number of 
obfuscations is possible (under reasonable complexity assumptions). 

Our Results. We now describe our results in more detail. The starting point for our 
work is the simple observation that a commonly used practice for hiding passwords 
can be viewed as a provably secure obfuscation of a “point function” under the random 
oracle model. That is, consider the family of functions {/«} where fa{x) = 1 if a: = 
a, and fa{x) = 0 otherwise. If 7^ is a random oracle^ (with a large enough range), 
then the program which stores p = TZ{a), and on input x outputs 1 iff TZ{x) = p 

* There is one intriguing, if limited, possibility that we can imagine: There is nothing known 
to rule out a general purpose obfuscator that takes circuits of size s, and outputs circuits of 
size, say, 0{sk), such that no adversary running in time could obtain meaningful 

information. If k were large enough, this could conceivably provide enough of a slowdown to 
be useful in some cases. No such transformation is known to exist. 

^ The work of [2] on “perfectly one-way hash functions” can be seen as a way to implement the 
random oracle within this obfuscation in certain models. By considering an extension of such 
models, it is possible to apply the techniques of [2] to remove the random oracles from all 
our constructions. However, these models are not satisfactory, because in general [2] cannot 
deal with partial information being available to the adversary, which is an important part of the 
obfuscation model we consider. Extending [2] to deal with partial information is an important 
open problem. Progress there would lead to progress toward removing the random oracle in our 
constructions. However, since we seek to give the^rar positive results regarding obfuscation. 
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is an obfuscation of /„ with high probability over TZ. Starting with this most basic of 
access control functionalities, we give a number of novel reduction and composition 
techniques for obfuscation, and use these to build obfuscations of much more complex 
access control functionalities. 

We show how to obfuscate a functionality we call an Access Automaton. Consider 
a large organization (such as a government) that wishes to implement a complex hier- 
archical access control system for a large collection of private information. In such a 
system, a single piece of information may need to accessible by persons with a variety 
of different credentials (e.g. the co-chair of one subcommittee and the secretary of an 
unrelated working group may need access to the same piece of secret information). In 
our setting, we allow for an exponential number of sets of credentials to give access to a 
common piece of information. We model this framework as an arbitrary directed graph, 
where each edge is labeled with a password/credential, and each node is attached to a 
secret. At the start, the structure of the graph is completely unknown to a user, but by 
supplying passwords/credentials, the user can explore and learn as much of the graph 
as she has access to, given the set of passwords/credentials she has. We show how to 
provably obfuscate this functionality in the random oracle model. We also show that 
our obfuscation can be dynamically updated, such that secrecy is preserved even if the 
adversary observes the entire history of obfuscated programs. 

A potential drawback of the above functionality concerns weak passwords. Suppose 
there is a document which is accessible by giving a sequence of 5 passwords, but the 
adversary has partial information allowing him to narrow each password to a (different) 
set of 10^ possibilities. The adversary could efficiently “break” each password one by 
one, and access the document, even though the document itself had log(10^°) “bits” 
of security. We show how to address this problem: Suppose we have a public regular 
expression over hidden strings {e.g. the expression “xi{xi\xa)* { x 2 \x^)x^X 4 )'’\ where 
x\^X 2 ,X 3 ,xa are unknown strings). Then we show how to essentially obfuscate this 
expression in a way that preserves the natural security inherent in the expression. In the 
example above, the adversary would not gain any partial information even if he knew 
that X 3 was one of only two possibilities - without knowing xi and X 4 , he cannot re- 
solve his uncertainty about X 3 . The main difference between this case and the Access 
Automaton is that the overall structure of the regular expression is not hidden by the ob- 
fuscation. We also give another obfuscation for public regular expressions over “black 
boxes” - this does not have the security property above, but can be seen as providing a 
nontrivial obfuscation of a composition of individually obfuscatable functions. We also 
show how to go beyond just “equality checking” by giving an obfuscation for proximity 
checking in tree metrics. 

We believe that the proof techniques we introduce are as important as the results we 
obtain. In particular, we give a new notion of reduction between classes of functions 
which implies that if one is obfuscatable, then so is the other. The significance of this 
is that this allows obfuscations of complex functions to be built using obfuscations of 
simpler functions. The latter may be implemented in anyway, possibly in the hardware. 
From a theoretical perspective, this is important because obfuscations built this way 

we do not concern ourselves with removing the random oracle in this work. We stress that it is 

indeed an important problem to address in the future. 
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need not be based on the random-oracle model, but can be in a model where the simpler 
obfuscations are available as primitives. We also make many observations about the 
possibility of putting together multiple obfuscations. We believe our techniques and 
observations will be of further use in the nascent field of program obfuscation. 

2 Preliminaries 

Following Barak et al. [1] we define obfuscation of a family of functions ^ as follows. 



Definition 1. A family of functions ^ is obfuscatable if there exists an algorithm O 
which takes a Turing Machine ( or circuit) that computes F G ^ and outputs a Tur- 
ing Machine (circuit, respectively) such that the following conditions hold (the TM or 
circuit is also denoted by F ). 

1. (Functionality) For all F G and all inputs x G {0, 1}* we have 0(F)(x) = 
F(x) 

2. (Polynomial Slowdown) There exists a polynomial p such that for all F £ we 
have |C1(F')| < p(lF’l) and (in the case of Turing Machines) if F takes t time steps 
on an input x G {0, 1}*, 0(F) takes at most p(t) time steps. 

3. (Virtual Blackbox) For all PPT A, there exists a PPT S and a negligible function v 

such that for all F G we have 

I Pr [yf(0(i^))) = 1] - Pr = 1]| < iy(\M\). 

Here the probabilities are taken over the randomness of A and S (and O and F if they 
are randomized). 

O is called an obfuscator /or and 0(F) an obfuscation of F. O is said to be 
efficient if it runs in polynomial time, in which case we say 3^ is efficiently obfuscatable. 

Now we extend this definition so that random oracles are taken into account. 

We consider a parameter k associated with the family of functions being obfus- 
cated. The size of F G is polynomial in k, and the random oracle that can be used 
in the obfuscation will be a random member of fik, the set of all functions from {0,1}* 
to {0, for some polynomial £. We shall refer to k as the feasibility parameter. 

Definition 2. (Obfuscation in the Random Oracle Model) An oracle algorithm O 
which takes as input a Turing Machine (or circuit) and produces an oracle Turing Ma- 
chine (or oracle circuit) is said to be an obfuscator of the family 3^ = Uk£^k if we have 
that 

V . (Approximate Functionality) There exists a negligible function v such that, for all 
k, for all F G we have Pr [3a; G (0, 1}* : 0^(F)(x) F(a;)] < v(k).^ 

2' . (Polynomial Slowdown) There exists a polynomial p such that for all k, for all 
F G we have jO(F)| < p(k) and (in the case of Turing Machines) if F takes t 
time steps on an input x G {0, 1}*, 0(F) takes at most p(t) time steps. 

® A weaker requirement would be that for all F G JFk and x G {0,1}*, we have 
Pr [0'^(F)(x) f F(x)] < v(k). 
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3'. (Virtual Blackbox) For all PPT A, there exists a PPT S and a negligible function v 
such that for all k, for all F G we have 

I Pr [A^{0'^{F))) = 1] - Pr [5^(l'=) = 1]| < u{k) 

Here the probabilities are taken over TZ G fik tis well as the randomness of A and S 
(and O if it is randomized). 

O is called an obfuscator /or and 0{F) an obfuscation of F. O is said to be 
efficient if it runs in polynomial time, in which case we say ^ is efficiently obfuscatable. 

In the sequel, all our results will apply to the definition presented here (in the random 
oracle model). For notational convenience we shall often abbreviate 0^,A^ etc. to 
simply O, ^ etc. 



3 Reductions and Composition 

3.1 Reductions 

Definition 3. A class of Turing Machines (or circuits) is said to be polynomial-time 
black-box implementable relative to (denoted -^(f) if there exist polynomial time 
TMs (circuits) M and N such that for every F G there is a G G , such that M'^ 
computes the same function as F, and computes the same function as G. 

So, if ^ (f, for every F G , 'if contains a function G which is “equivalent” to 
F in some extended sense. Now we give the main tool which lets us reuse results on 
ohfuscatahility. 

Lemma 1. If ^ and ^ is obfuscatable ( when every G G is given as for 
an F G Zf')f then so is . Further if f is efficiently obfuscatable, then Zf' is efficiently 

obfuscatable too. 

Proof: Given F G G G 'if be such that = F and G = . Since 'if is 

ohfuscatahle, let O' be an obfuscator for 'f. We claim that 0{F) = (i.e., the 

code of M and the code 0'{G)) is an obfuscation of F. 

Clearly, conditions 1' and 2' of Definition 2 are satisfied. To prove condition 3', con- 
sider any adversary A which accepts the code 0{F) = We need to demon- 

strate a PPT S as required hy condition 3'. First, we build an adversary A' which accepts 
the code 0'{G), adds the code of M to it to get 0{F), passes it on to an internally sim- 
ulated copy of A, and outputs whatever A outputs. Now, since 0'(G) is an obfuscation 
of G, there exists a simulator S' such that 

I Pr [5'^(|0'(G)D = 1] - Pr IA'(0'(G)) = 1]| < e (1) 

for some negligible function e(|0'(G)|). 

^ If G € ^ is obfuscatable only when represented in some other format, still this Lemma holds, 
but now the obfuscator for takes F as M*' with G specified in that obfuscatable format. 
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We use S' to build S, as follows. Note that S gets oracle access to F and receives 
|0(F)| as input. can implement an oracle equivalent to G as , using its oracle 
access to F. It runs S' with oracle access to G implemented in this way, and input 
\0'{G) \ calculated from |0(J^)| (by subtracting the size of M). S outputs whatever S' 
outputs. 

Clearly, by construction, 

Pr [A{0{F)) = 1] = Pr [A'{0'{G)) = 1] 

Pr [5^(|0(F)D = 1] = Pr [5'^(|0'(G)|) = 1] 

and so by Equation (1), | Pr [5^(|0(J^)|) = 1] — Pr [A{0{F)) = 1]| < e. Finally 
\0{P)\ ^ so that e is still negligible when considered a function of 0{F), 

completing the proof. 

Note that in building 0{F) = the obfuscator O needs to obtain 0'{G), 

given F. Since G can be specified as to O' , if O' is efficient so is O. □ 

3.2 Extending Lemma 1 

We extend Definition 3, and Lemma 1 to allow reductions to probabilistic families of 
functions. We do this for proving Theorem 3. In fact, somewhat more general extensions 
are possible. But for the sake of simplicity we restrict ourselves more or less to the 
minimum extensions we will need. The reader may skip this section, and return to it 
while reading Section 5. The other results in this paper do not need these extensions. 

Definition 4. Suppose is a family of probabilistic Turing Machines (or circuits), and 
a family of deterministic TMs (circuits). We say IS if there exist probabilistic 
polynomial time TMs (circuits) M and N such that for every F G .1^ there is a G € 'S , 
such that the distributions of outputs of and F are computationally indistinguish- 
able, and those of and G are computationally indistinguishable. 

Note that unlike Definition 3, the above definition is not information theoretic. It 
involves the notion of computational indistinguishability, and hence inherently all the 
results which use the following lemma requires the adversary (A and S) to be PPT 
machines or circuits. The proof of the lemma closely follows that of Lemma 1. It is 
given in the extended version [8]. 

Lemma 2. Suppose ^ . Let 'S be the family of deterministic TMs (circuits) ob- 

tained by fixing in all possible ways the random-tapes of the TMs (circuits) in . Then, 
ifl^ is obfuscatable, so is ^ . 

3.3 Composition of Obfuscations 

An obfuscated program can be idealized as oracle access to the corresponding function. 
We ask if obfuscations compose: can we put together different obfuscations and expect 
them to behave ideally as the corresponding collection of oracles. Note that here we 
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use the term compose in the same way as one refers to composition of cryptographic 
protocols- to ask whether having multiple instances in the system breaks the security or 
not. It does not necessarily refer to composition of functions in the usual mathematical 
sense, something which we will address later in this section. We make the following 
definition to define a simple composition of obfuscations, where there is no interaction 
between the different instances. 

Definition 5. An array of t functions Fi, . . . , Ft is defined as follows: 

lFi,...,Ftj{i,x) = Fi{x) ifi G {1, ... ,t}; else ± 

Let |0(J^), 0(G)], by abuse of notation stands for the code which consists of the 
codes 0{F) and 0{G) as modules, and a small driving unit which directs the calls to 
one of the modules as appropriate. 

Definition 6. (Simply Composing Obfuscations) An obfuscator O for a family is 
said to produce simply f-self-composing obfuscations if 

0*m,...,Ftl) = l0{F,),...,0{Ft)l 

is an obfuscation of the family {|Li, . . . , G 

This can be extended to multiple families of obfuscatable functions to define a set of 
simply composing obfuscations. 

In fact, in the random oracle model we have the following claim (which we conjecture 
to extend to the plain model too): 

Claim 1. There exists a class of functions , and an obfuscator O for in the random 

oracle model, such that obfuscations produced by O are not simply 2-self-composing. 

Proof: We consider the class of point functions (defined later, in Section 4). By 
Lemma 4, this class is obfuscatable in the random oracle model. Note that when F 
and G are identical (randomly chosen) functions, oracle access to the function IL’, G] 
does not reveal the fact that they are identical, to a PPT machine. On the other hand 
the obfuscation given in Lemma 4 does reveal this. (Of course, it is easy to modify 
the obfuscation, in order to avoid this problem.) Thus no simulator can simulate the 
behaviour of an adversary A (which has access to these obfuscations) which outputs 1 
if = G and 0 otherwise. □ 

Conjecture 1. If there are non-trivial obfuscations in the plain model, Claim 1 holds in 
the plain model too. Indeed, in that case, we conjecture that there exists an obfuscatable 
family , such that = { [L’, G] : F,G £ is unobfuscatable. 

The difficulty in attempting to prove this conjecture is that it requires a non-trivial obfus- 
catable family and we have virtually nothing known beyond what is being presented 
in this work (which is in the random oracle model). 

On the other hand, an obfuscatable function composes with any trivially obfuscat- 
able function (dehned below). 



We can have t constant, or polynomial in the feasibility parameter k. 
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Definition 7. A family of functions ^ is learnable as polynomial time circuits if there 
exists an oracle circuit P such that for all F G ^ outputs a polynomial sized 
circuit Cp which computes F. 

If ^ is learnable it is obfuscatable: the obfuscator O takes a circuit for F and runs 
P with oracle access to that circuit; it outputs Cp produced by P as 0{F). This is 
clearly an obfuscation, because for every adversary A, a simulator S simply runs P 
with the oracle for F, obtains Cp and runs A on it. 

Definition 8. A family of learnable functions is called a family of trivially obfuscat- 
able functions. The obfuscation obtained via learning the function is called the trivial 
obfuscation of the function. 

Simple as the following lemma is, it is interesting that its intuitive extension from 
trivially obfuscatable family to any obfuscatable family is an open problem. 

Lemma 3. Let ^ be a trivially obfuscatable family of functions. Then, is obfuscat- 
able, if and only if the family of functions = {|i^, G] : F G G is 

obfuscatable. 

Proof: First, we show that 'if <C xf. Then it follows from Lemma 1 that f is obfuscat- 
able if is. 

To see that if <C sf, for each G Gif 'x/e choose A = |J^, G] G sf , where F G ^ 
is a fixed function for all G. Then a machine M which internally implements F can 
implement A with access to only G. On the other hand a machine N which has access 
to A can clearly implement G. 

Now we show that sf is obfuscatable if if is. Intuitively, an obfuscation of sf does 
not “hide” the component (which is easily learnable). So it is sufficient if we are able 
to obfuscate the if part. Formally, we show that for A = [F’, G] G sf , the following is a 
valid obfuscation: 0{A) = \0' {F) , O' {G)\, where 0'{F) is the trivial obfuscation of 
F and 0'{G) is the obfuscation of G given by the assumption that if is obfuscatable. As 
earlier the notation |G'(F’), G'(G)] refers to the code which has G'(F’) andG'(G) as 
internal modules, plus a small control module to activate the appropriate one depending 
on the input. 

To show that 0{A) is a valid obfuscation, for every adversary A which accepts 
0{A), we show a simulator S such that | Pr [5"^(|G(A)|) = 1] — Pr [A{0{A)) = 1]| 
is negligible. The structure of the argument is similar to that in the proof of Lemma 1. 

From A, we first build an adversary A' which takes as input 0'{G), uses it to build 
the code 0{A) =\0'{F), G'(G)], passes it on to an internally simulated copy of A, and 
outputs whatever A' outputs. Using the fact that 0'{G) is an obfuscation of G, there 
exists a simulator S' such that 

I Pr [5'^(|G'(G)D = 1] - Pr [^{0'{G)) = 1]| < e (2) 

for some negligible function e(|G'(G)|). 

We use S' to build a simulator S as follows. Note that S gets oracle access to A 
and receives \0{A) \ as input. Oracle access to A in particular gives oracle access to F. 
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Since F is trivially obfuscatable, it is possible to obtain the trivial obfuscation 0'{F) 
just using this oracle access to F. So S first computes 0'{F). Next, note that given 
oracle access to A, oracle access to G can also be implemented. So S runs S' with 
oracle access to G implemented in this way, and input \0'{G) \ calculated from |0(A)| 
(by subtracting the size of 0'{F)). S outputs whatever S' outputs. 

By construction, 

Pr [A{0{A)) = 1] = Pr [J^{0'{G)) = 1] 

Pr [5^(|0(A)D = 1] = Pr [5'«(|0'(G)D = 1] 

and so by Equation (2), | Pr [5'^(|0(F)|) = 1] — Pr [A{0{F)) = 1]| < e. Finally to 
complete the proof, we note that |0(^)| > \0'{G)\ and so e is still negligible when 
considered a function of O(^). □ 

Now we consider the question of more complex composition of obfuscations. We 
ask if obfuscations of composed functions can be obtained by using obfuscations of 
the component functions. In particular we look at function compositions (in the usual 
mathematical sense, of one function invoking another). 

Conjecture 2. Conjecture on Obfuscatability of Function Compositions: Given two 
classes ^ and of obfuscatable programs, the family £/ = {A(x) = F(G{x)) : 
F £ ,1^ , G G is obfuscatable. 

Theorem 1. The Conjecture on Obfuscatability of Function Compositions is false, if 
factoring Blum integers is hard or the DDH assumption is true. 

Proof Sketch: The Conjecture on Obfuscatability of Function Compositions, if true, 
could be applied any constant number of times: if is obfuscatable, then Ct{A{x) = 
Fi{F 2 {- ■ ■ (Ft{x)) • • • ))|Fi G is obfuscatable. However, it is known that if the 
assumptions of the theorem hold, then there exists a family of functions £/ C TC° 
that is unobfuscatable. On the other hand it is not hard to see that = TC°, the 
family of depth 1 threshold circuits, is trivially obfuscatable, because they can be easily 
learned from input/output queries. Noting that £/ is obtained by a constant number of 
compositions of functions from completes the contradiction, and the proof. □ 



4 Point Functions and Extensions 

In this section we define a few basic functions which can be obfuscated under the ran- 
dom oracle model. The proofs are easy and we include a couple of them. 

Definition 9. (Class of Point Functions) A point /Mnch'on Pq, : {0,1}^ — > {0,1} is 
defined by Pa{x) = 1 if x = a and 0 otherwise. Define = {Pa '■ a G {0, 1}^} 
and SA = GkSAk. 

We observe that the following simple obfuscation heuristic is indeed an obfuscation 
in the random oracle model (Definition 2). 
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Lemma 4. For random oracles TZ : {0, 1}* ^ {0, 1}^^, let 0^{Pa) be a program 
which stores r = TZ{a), and on input x G {0, 1}^, checks ifTZ{x) = r; if so it outputs 
1, else 0. 

Then, O is an obfuscator of as defined in Definition 2. 

Proof: Polynomial Slowdown is evident (by convention oracle queries are answered in 
one time step). The Approximate Functionality condition is true since 

Pr7^[3a; S {0, l}^\{a} : TZ{x) = TZ{a)] 

< Y. = ^(a)] = (2'= - l)/2'" 

xG{0,l}^\{a} 

which is negligible in k. 

To show the Virtual Black-Box property (3'), for any adversary A, define the sim- 
ulator S (with oracle access to Pa which does the following. Pick a random string 
r ^ {0, 1}^^, prepare a purported obfuscation of Pa with this r and hand it to an inter- 
nally simulated copy of A. Recall that A can make queries to a random oracle, which 
in this case will be simulated by S. W.l.o.g we assume ^’s queries to the oracle are 
distinct, since oracle replies can be cached. When A makes a query q to the random 
oracle, S queries the Pa oracle with q. If Pa answers 1, it answers ^’s query with r. 
Else it picks a random string in {0, 1}^^ and sends it to A. Finally S outputs whatever 
A outputs. It is easy to see that the view of this internally simulated A is identical to 
that of an A which receives the obfuscation and access to the random oracle. Thus the 
Virtual Black-box requirement is satisfied (with v{k) = 0). □ 

Though we defined the point function as Pa : {0, 1}^ ^ {0, 1} with a G {0, 1}^, 

it is easy to see that it can be modified to Pa : Uio{0. 1}* ^ {0, 1} with a G 

uio{o, ir 

4.1 Composable Obfuscations of Point Functions with General Output 

Definition 10. (Class of Point Functions with General Output) A point function with 
general output Q(a,f3) • {0> 1}^ ^ {Oj is defined by Qa,/ 3 {x) = (3 ifx = a and 

± otherwise. Define = {Pa '■ a G {0, 1}^} and = Uk^k- 

We omit the proof of the following theorem, as it is similar to the proof of Lemma 4. 

Theorem 2. For random oracles TZ : {0, 1}* ^ {0, i}2fe+s(fe)^ [gi 0^{Pa,if) be a pro- 
gram as follows: Let TZif) denote the first 2k bits of TZf), andTZ^i') denote the remain- 
ing bits. Choose ip at random from {0, 1}^. Let a = TZi{ip, a) and b = 7^2 ('0> oP). The 
program stores ip, a and c = (3 ®b. On input x G {0, 1}^, it computes a' = TZ\{ip, x) 
and b' = 7^2 ('0> x); if a' = a it outputs b' 0 c; else it outputs 0. 

Then, O is an obfuscator of PP as defined in Definition 2. 

We further observe that the above obfuscation self-composes according to Defini- 
tion 6. As long as there only polynomially many (polynomial in k) obfuscations in the 
system, the probability that two of the obfuscations will have the same value of ip is 




Positive Results and Techniques for Obfuscation 



31 



negligible. Conditioned on this (negligible probability) event not happening, a simula- 
tor with black-box access to all the (polynomially many) Qa,/3 functions can perfectly 
simulate the behavior of an adversary with access to the obfuscations. Note that here 
the obfuscator is a randomized algorithm. 

4.2 Multi-point Functions with General Output 

Finally, we dehne a multi-point function with general output as follows. 

Definition 11. (Class of Multi-Point Functions with General Output) A multi-point 
function : {0,1}'= ^ ({0, !}*('=)) is defined as follows: On input 

Xy output b G ({0, !}*('=))* where bi = j 3 i if x = ai, and else bi = _L. Define = 
^ {O5 f} } and Define ^ = Upolynomials i • 

Since from last section we have a self-composable obfuscation for the single point 
function with general output, we simply put together the t programs 0{Qai,i3i), i = 
1, . . . , f to obtain an obfuscation for 

Lemma 5. The family of functions is efficiently obfuscatable in the random oracle 

model, in a self-composable manner. 

Proof Sketch: It is easy to see that .S* <C ||F’i, • ■ • , Ftl : Fi G ^}- Since the obfusca- 
tion in Theorem 2 is self-composable, Hfi, . . . , F)] : Fi G is obfuscatable, and by 
Lemma 1, so is (and hence J2*). To see that this composition is self-composable, 
note that the obfuscation of an array of functions from is identical to the obfuscation 
of a (much larger) array of functions from □ 



5 Obfuscating a Complex Access Control Mechanism 

Consider the following (interactive) access control task. There are multiple access points 
to various functions or secrets. There is an underlying directed multi-graph (possibly 
with multiple edges between nodes, and self-loops), with each node representing an 
access point. The user starts at a predefined access point, or “start node” and proceeds 
to establish her access privileges which allows her to move from one access point to 
another, through the edges of the graph. The access control task is the following: 

- The user can reach an access point only by presenting credentials that can take her 
from the start node to that point. 

- The user gains complete access to a function or secret available at an access point 
if and only if the user has reached that access point. 

- The user does not learn anything about the structure of the graph, except what is 
revealed by the secrets at the access points she reached and the edges she traversed. 

We specify this task as access to a black-box with which the user interacts, giv- 
ing her credentials at various points and receiving the secrets; the black-box internally 
maintains the current access point of the user. But we would like to implement this task 
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as a program which we then hand over to the user. To maintain the security of the task, 
we need to obfuscate this program. 

In this section we explore this obfuscation problem. We show that in the random 
oracle model this access control mechanism can indeed be obfuscated. We model the 
interactive task as a non-interactive function (formulated below) which takes the “his- 
tory” of interaction and gives a response to the last query. 

Definition 12. A graph-based access control problem Xq with parameters k and d is 
defined by the following: 

1. Directed multi-graph G on k vertices. Each node u G k has at most d ordered 
neighbors , • ■ • , Let E = {{u,v,i) : v = fXu'^ for some z G [d] } be the set 
of all edges (i is used to differentiate between the multiple edges possible between 
the same pair of nodes). 

2. A set of passwords on the edges {7Te|e G E}, and 

3. A set of secrets at the nodes {ay\v G [A:]}. 

Then, 



i/Buo, . . . , u„, G [k] and Cq, . . . , e„_i G E 
such that vq = l,ej = and 

Xj = TTe^ 

Otherwise. 

We define the family of functions 3f as the set of all Xq with parameters (fc, d) over 
all multi-graphs G, sets of edge-passwords and sets of node-secrets. 

Above, (z, x) is a query in which the user provides a purported password x for the z-th 
edge going out of the “current” node. For later notational convenience we shall assume 
that there is no secret available at node 1 : i.e., ai = _L. 

We are interested in cases where the inputs to Xq are of size polynomial in k and d. 
We point out that there may be exponentially many valid inputs for which Xq outputs a 
secret (though the number of distinct secrets is only k). So it is not possible to obfuscate 
Xq directly using Lemma 5. 

Instead we proceed in the following manner: each node is represented by the tuple 
{v, ay, Cl, ... , Cd, TTei , ■ • • , Ttea) where Ci G E (if there are less than d outgoing edges 
pick dummy values for the remaining edges). For each node 1 < u < k pick a random 
“key” Ku from {0, 1}^; let = 0^ (recall that 1 is the start node). Define the function 
Wq as follows: 

{ {v,av,Ky) if z = and 

3z; G [k] such that = x 
± otherwise. 



(.(.111 Xi) , • ■ ■ 1 (tnj Xji)) — 



The obfuscation consists of an obfuscation of Wq (which is a multi-point function with 
at most kd input points where the output is not _L, and hence can be obfuscated). 
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Intuitively, this is a good obfuscation because the adversary cannot find the ran- 
domly chosen key of a node unless it was given out by the (obfuscated) function 
Wq. But the only way to obtain that is to give tTc for an edge leading to v from a node 
u to which the adversary already has the key. Since, to start with, the only key the ad- 
versary knows is ki, it must indeed traverse a path from 1 to u by providing the all the 
edge-passwords in order to get to v. 

Formally, we first define a probabilistic program Wq which picks the random keys 
above to get a particular deterministic function Wq. Then we show that the family 

<# W, where W is the family of all Wq as above. 

Definition 13. Define the randomized algorithm Wq as follows: for v G [/c], pick ran- 
dom keys Kv ^ {0, 1}^. On input {u, z, i, x) return Wq{u, z, i, x). 

VFe define the family of functions W as the set of all Wq (with parameters (k,d)) 
overall multi-graphs G, sets of edge-passwords and sets of node-secrets. 



Lemma 6. SG . 

Proof: For Xq G we pick Wq G ^ and demonstrate M and N as required by the 
definition of the relation 

M such thatM^ = Xq : On input (zi, ),..., (t„, Xn) query FFg with (1, 0^, zi, xi); 
if Wg returns {v 2 , ) , query it with {v 2 , , Z 2 , ) and so on, until it either returns _L 

or we reach the end of the input and receive (u„, (Jt,„ ). In either case output this value. 

N such that « Wq '. N internally maintains two tables: one table is for keys 

Ki, and one for paths to each node v from node 1, with edge passwords for each edge 
appearing on the edge. Initially it sets ki = 0^ and all other keys as _L, and does not 
have any paths recorded for any node. On input (zz, z, i, x) N checks if z = ^ _L. If 

not it returns _L. Else it will have recorded a path (zzi = 1, V 2 , i\,xi), . . . , {yt,vt+i = 
u,it,xt) such that a; j It makes a query (zi, xi), . . . , (zt, a;*), (z, a;) to 

Xq. If Xq responds with _L, N outputs _L. Else, it receives {v, ay) from Xq. It checks 
if a key has been already assigned to v, if not it picks a random key and assigns that to 
V. Then it returns {v, ay,Ky). 

It is not hard to see that for any PPT S' interacting with Wg or , the output 
distribution of is the same as that of Wg , but both distributions conditioned on the 

event that S' never makes a query with a valid key which it did not receive as answer to 
a previous query. But that event is of negligible probability, and so « Wg. Q 

Note that is a family of probabilistic machines, such that if we consider the 
family obtained by fixing the random-tapes of machines in W in all possible ways, we 
get a sub-family of (Definition 11). This sub-family is obfuscatable (because is 
obfuscatable, by Lemma 5). Then, from the above lemma and Lemma 2, we conclude 
the following. 

Theorem 3. The family Sf is efficiently obfuscatable in the random oracle model. 
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6 Regular Expressions and Obfuscations 

Let S be an alphabet (of constant size). We consider regular expressions over S U 
, ■ • • , C^* where are formal symbols corresponding to languages Li. We de- 
fine whether or not a string s & E* matches such a regular expression p(Li, . . . , Lt) as 
follows: s matches a symbol if s G Li. The rest of the rules are the usual ones: a 
single character a G E matches itself; s G E* matches pi \p 2 if it matches either pi or 
P 2 \ s matches pi • p 2 if s = si • S 2 such that si matches pi and S 2 matches p 2 \ finally 
s matches p* if s is the null-string, or s = si • S 2 • • • Sfc where each Si matches p. If 
s matches a regular expression p, we write s ^ p. Below stands for the 

language defined as the set of all strings matching p(Li, . . . ,Lt). 

6.1 Obfuscating 

Consider the case when the languages Li above are the point functions Pq.^ . In this sec- 
tion we consider a family of functions where for all k and all {/“i. ■■■.“* g 

“Wpi^ there is a single fixed regular expression p. However, for each k, the point func- 
tions Pen belong to the the family of point functions on U^_q{ 0, 1}^ . For brevity 
we denote by £p(„i 

Definition 14. Define the function [/“i ’■■■>“* as follows: on input x G {0, 1}*, check if 
X G P,p{ai,...,at)- V return «i , . . . else return _L. Let^p^, = : ai G 

Uj=o{0> IP}’ = Ufc'^pfe- 

Unless a string in the language Cp(a^,...,at) given as input [/“i. ■■■.“* reveals noth- 
ing beyond the fact that the string is not in the language. We show that this function can 
be completely obfuscated. 

Theorem 4. For any regular expression p, the family ^p is efficiently obfuscatable in 
the random oracle model. 

To prove this, we introduce another family of functions ffip, and show that ‘^p <C 'Pp. 
Then, we show that ffip can be obfuscated (in the random oracle model). 

Recall that p is a regular expression over the symbols E U , • • • , C“‘ }• We can 
convert this to a deterministic finite-state automaton (DFA), with some of the edges 
labeled with Define a set Zp C of subsets of [f] as follows. If there is a path 
in the above DFA from the start state to some accept state, in which the set of non-F7 
symbols appearing are {C“* : i G Z C [f]}, then Z G Zp. In other words, Zp is the set 
of all subsets of a^’s, such that knowing afs in any of these subsets will enable one to 
construct a string in Cp{ai,...,at)- Note that Zp can be constructed from p, independent 
of «i, . . . , at. 

Definition 15. Define the function y^“i. ■■■.“* as follows: on input . . . , Pt), Pi G 
{0, 1}*, check if3Z G Zp such that Vz G Z, Pi = ai. If so return «i, . . . , at; else 
return _L. Let G Ip}. and Pp = 



Lemma 7. *^p <C for all regular expressions p. 
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Proof: Corresponding to G we pick G fp. 

Constructing M such that M p = As input M p receives a 

strings G {0, 1}*. It needs to check if a; G Cp(^ai,...,at)- ^ chooses f substrings of a; as 
guesses for «i , . . . , If |a;| = n there are 0{rf* such choices. But by our convention, 
since p is fixed, f is a constant and rf* is still polynomial in n, the size of input to M. 
For each such guess (/3i, . . . ,Pt), M queries v^“i. ■■■.“* on (/?i, . . . ,Pt)- If 
returns _L for all choices, M also outputs _L. If returns (ai, . . . , at) for any 

choice of (/?i, . . . , fit), then M constructs the complete DFA (replacing the variables 
with af) and checks if x is accepted by the DFA. If so, M outputs «i, . . . , a*; if 
not it outputs _L. 

If a; G >Cp(Q,j Qj), then there is some path in the DFA for p which accepts x. 
Let Z be the set of all i such that appears on this accepting path. By the way 
Zp was constructed, Z G Zp. Further all these appear as part of x. Thus, for 
some guess fii,. . . ,fit, it will be the case that for all of z G Z fit = at. Thus if 
X G Cp(at,...,at)^ ^ "'ll! obtain all of a\, ■ . . ,at from and will be able to 

verify that x G ^p(ai,...,at)- f^e other hand if a: ^ ^p(ai,...,at) either ai, . . . ,at are 
not revealed to M, or they are and M will discover that x ^ >Cp(ai,...,at)- fn either case 
M will output _L, as required. 

Constructing N such that N p = y^“i. ■■■>“* ■ As input N p receives t 

strings {(3i, fit) At needs to check if there is any Z & Zp such that \/i G Z at = fit. 
Associated with each Z is a path from the start state to an accept state in which the 
variable appear for exactly those i G Z. N chooses for each Z such a path, and 
constructs a string xz corresponding to that path, substituting fii for . It then submits 
xz to [/“I. ■■■.“* (to which it has oracle access). If {/“i. ■■■•“* responds with _L for all xz, 
Z G Zp then N outputs _L. If {/“i. ■■■>“* responds with a\, . . . ,at for any xz, then N 
then checks if 3Z G Zp\H G Z at = fii, and responds accordingly. It can be easily 
verified that ^ ’ ’ * = □ 

Next we observe that fp <C .^*, where cS* is the class of multi-point functions with 
general output (Definition 11). 

Lemma 8. <C 

Proof: Let Zp = {Z \, . . . , Zi}, and for each Zi G Zp, let the string 7 ^ be (jI, . . . , 7 *) 
where if j G Zi,jf = aj and else jf = 0. 

For every ■■■.“* g consider Q = G where A = 

(ai, . . . , at) (i.e., if Q is given one of the strings 71 , . . . , 7 ^, it outputs A. It is easy to 
verify that the following machines M and N are as required by Definition 4. 

mQ, on input {fii, . . . , fit) does the following: for each Zi G Zp it constructs a 
string 6i = {Si, ... ,6^) where if j G Zi, Si = fij and else = 0; then it queries Q 
with Sp, if for any z it receives A from Q it outputs that and else _L. 

N'^p ’ * on input <5 = (i5^, . . . , S*), queries v^“i. ■■■>“* with <5. If it receives _L as 
an answer, it also outputs _L. Else it receives A, and can then can compute Q{S), which 
it outputs. □ 
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By Lemma 5, is obfuscatable, thereby completing the proof of 'fp being ob- 
fuscatable. To complete the proof of Theorem 4, we appeal to Lemma 1, along with 
Lemma 7 and the above fact that 'fp is obfuscatable. 

We remark that the construction above can easily be extended to also produce an 
arbitrary secret output if the input matches the regular expression. 

6.2 Obfuscating a Function Related to p(Li, . . . , Lt) 

In this section we allow p to be part of the function (and therefore can have size polyno- 
mial in k). We are interested in matching a given string against p{Li , . . . , Lt) without 
compromising the black-box nature of |Li, . . . , Ltj. The family of functions we are 
interested in is below. 

Definition 16. Define and as follows: 

{ p if a = 1 

La-i(x) ifa€{2,...,t+l} 

_L otherwise 

{ 1 if a = 0 and x matches p{L \, . . . , Lt) 

0 if a = 0 and x does not match p(Li, . . . , Lt) 

Gp^’-’L*{a,x) otherwise 

= {Gp^’’’^* : p a regular expression and Li G C} 

. p ^ regular expression and Li G C} 

In other words, both Gp^’’’^* and provide access to the languages Li and to 

(the description of) the regular expression p. In addition, pF^ -Lt gives access to the 
language defined by the regular expression p{Li, . . . ,Lt). 

Theorem 5. obfuscatable if and only if {\L \, . . . , Lt\ : Li G C} is. Further 

this statement holds restricted to efficient obfuscations too. 

First we prove the following lemma, which is the heart of the proof. It shows how 
to evaluate the regular expressions involving Lt ’s just with access to ■ 

Lemma 9. ^ ond ■'^c< for all families C. 

Proof: It is easy to see that • For the other direction, we have to demonstrate 

the polynomial time oracle machines M and N as in Definition 3. But N is trivial, and 
so is M’s behaviour when on input (a, x), it sees a 7 ^ 0. The non-trivial case is when 
a = 0: M should match the input x with the regular expression p with only black- 
box access to Li. We give a fairly efficient algorithm using dynamic programming to 
achieve this. 

First M obtains the regular expression p from G (by giving input ( 1 , e) . It con- 
structs a tree corresponding to p with leaf nodes corresponding to symbols from S U 
. . . , C^”}- Each internal node corresponds to one of the three operators |, • and 
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*; in the first two cases the node will have two children and in the last case a sin- 
gle child. The root node corresponds to the whole regular expression p. The algo- 
rithm will consider the set S of all substrings of the input string x = x\ . . .Xn\ i-e., 
S = {x\ : 1 < i < j < n} U {e}. For each node it will try to hnd out all the strings in 
S which match the regular expression at that node. This is done bottom-up in the tree. 
To obtain this information at the leaf nodes, M makes 0{v?) queries to each Li. 

Given this information for the children of a node, the information for that node itself 
can be obtained. In the case of a (|)-node (denoted by Q = Q 1 IQ 2 ) this is simple: for 
each string s G S check if s ~ Qi or s ~ Q 2 - If either case holds record that s ~ Q. 
For (-)-node Q = Qi ■ Q 2 we do the following: 

for each s e S do 
for i = 0 to |s| do 

if si ~ Qi AND s^ili ~ Q2 then 

record s ~ Q 

|s| 

The checks si ~ Q\ and ~ Q 2 are done by checking if those matchings have 
already been recorded. The (*)-nodes require a little more work. At a node Q = Qi we 
do the following: 

Let Qi denote Qi 
for A: = 2 to n do 

for each s e S\{e} do 
for i = 0 to |s| do 

if si ~ Qi“^ AND s^ili ~ Qi then 
record s ~ Qi 
record e ~ Q 
for each s € S\{e} do 
if s ~ Qi for some k g {1, . . . , n} then 
record s ~ Q 

It is not hard to see that at each node the algorithm correctly records all s G S' which 
match the node. Finally, it checks if a; ~ p by checking if it is recorded at the root node. 

□ 

Proof: (of Theorem 5) By the above Lemma and Lemma 1 , we can obfuscate > if 
and only if we can obfuscate '^c- We can view G G I(p)) , T„]], where 

(p) stands for the constant (and hence trivially obfuscatable) function which outputs p. 
Then by Lemma 3, is obfuscatable if and only if {|Li, . . . , L„] : Li G C} is 

obfuscatable. □ 



7 Obfuscating Neighborhoods in Tree Metrics 

Point functions are identity checks- they check if the input is identical to a particu- 
lar value. A natural relaxation thereof is a neighborhood check. Consider some metric 
space from which the inputs are drawn. We would like to have a program which checks 
if the input is “near” a hidden point. 
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We work in a restricted metric space- the space of “tree metrics,” where the the 
points are nodes in a (rooted, undirected) tree, and the distance between two points is 
the length of the (unique) path between them. (We can allow a metric space that can be 
decomposed as a collection of a constant number of tree metrics, but for simplicity we 
stick to a single tree-metric.) 

Let M stand for the metric space as well as (by abuse of notation) the tree defining 
it. Let (•, •) be the distance function in Ai. 

Definition 17. Define the function : A4 ^ A4U {_L} as follows: 



T^{x) 



a dAr(a, x) < S 
_L d^(of, x) > S 



= {T^ : M a tree-metric , \AA\ = G AA} and SA = 

Obfuscating i5-neighborhoods in general metric spaces (beyond what can be 
achieved by exhaustively searching the entire ^-neighborhood of a point) is a chal- 
lenging problem. But we show that for tree metrics this problem can be satisfactorily 
solved using a simple technique. To obfuscate T^, traverse the tree AA, starting at the 
node a, towards the root of the tree, for a distance b, and pick the node at which we 
hnish. (If we reach the root before <5 steps pick the root.) Call this node /3. We show 
that obfuscating is essentially the same as obfuscating the point function on /3 with 
output a (which as we have shown, can be efficiently obfuscated in the random oracle 
model). 



Lemma 10. <C ^ ( where is the point function with general output, as in Defini- 

tion 10). 



Proof: For G ,^7 we pick Qp^a G Q/ 3 ,q is the function which outputs a on 
input f) and _L everywhere else. 

works as follows : On input x € AA query with x. If x were indeed equal to 
(3 then would respond with a. So if gives _L return _L. If it gives a, locate j3 
by traversing AA, and check if the x is indeed /? or not and answer accordingly. 

]\pQi3,a yvorks as follows : on input x € AA, check the first 25 ancestors of x for being 
identical to (using If Qp.a returns a on some query, check dM{x,a) and 

answer appropriately. If it returns _L in all 26 queries, then it is easy to see that the 
distance {x, a) > 5. In this case, output _L. □ 

By Lemma 1 and Theorem 2, we get: 

Theorem 6. 17 is obfuscatable in the random oracle model. 



8 Conclusions and Open Problems 

We have given the first positive results and techniques for program obfuscation, but 
many important open problems remain. We are hopeful our reduction and composition 
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techniques will aid in resolving these problems. The most pressing open problem is to 
extend our positive results beyond what we have. In particular, can regular languages 
be obfuscated? Is there any example of a keyed cryptographic primitive (even a con- 
trived one) other than password checking which can be obfuscated? Another important 
problem to be resolved is to find any non-trivial obfuscation result without using the 
random oracle model. Our approach, of reducing obfuscation of one family to obfus- 
cating another, could then be used to produce more obfuscations in the plain model. 
Also, such techniques are useful in a model where some basic functions may be obfus- 
cated in hardware; so one direction to pursue is to explore developing these techniques 
further. 
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Abstract. Given two or more parties possessing large, confidential datasets, we 
consider the problem of securely computing the fc*^-ranked element of the union 
of the datasets, e.g. the median of the values in the datasets. We investigate proto- 
cols with sublinear computation and communication costs. In the two-party case, 
we show that the fc*^-ranked element can be computed in log k rounds, where 
the computation and communication costs of each round are O(logM), where 
log M is the number of bits needed to describe each element of the input data. 
The protocol can be made secure against a malicious adversary, and can hide the 
sizes of the original datasets. In the multi-party setting, we show that the 
ranked element can be computed in logM rounds, with O(slogM) overhead 
per round, where s is the number of parties. The multi-party protocol can be used 
in the two-party case and can also be made secure against a malicious adversary. 



1 Introduction 

For a set S' C K, the -ranked element is the value x G S that is ranked k in the 
list S sorted in increasing order of all elements. The -percentile is the value x G S 
such that p% of the values in S are below x. Of particular interest is the median or 
50th-percentile, which is the element with rank p = [|S|/2]. Given two parties A 
and B with datasets Da: Db C K, respectively, we consider the problem of privately 
computing the fc*^-ranked element of Da U Db- We also consider this problem in the 
multi-party case. In the setting we consider, the datasets Da and Db contain proprietary 
information, thus neither party is willing to share its data with the other. In addition, we 
assume that b=\Da \ + \Db \ is very large. 

There are many situations where secure computation of the fc*^-ranked element is 
useful. For example, two health insurance companies may wish to compute the median 
life expectancy of their insured smokers. In such a setting, both the number of insured 
smokers as well as their life expectancies are private information, but the median life 

* Supported in part by a Stanford Graduate Fellowship, NSF Grant ITR-033 1640 and NSF Grant 
EIA-0 137761. 

** Supported in part by NSF grant EIA-0137761. 



C. Cachin and J. Camenisch (Eds.): EUROCRYPT 2004, LNCS 3027, pp. 40-55, 2004. 
© International Association for Cryptologic Research 2004 




Secure Computation of the fc*^-Ranked Element 41 



expectancy is of combined mutual interest. Another example is the annual Taulbee sur- 
vey which collects salary and demographic data for faculty in computer science and 
computer engineering departments in North America. Each year, academic departments 
report only a small number of statistics like the average salary for assistant, associate 
and full professor positions. The Taulbee survey is thus able to publish only limited ag- 
gregate information. A secure, multi-party solution for the /c*^-ranked element would 
enable universities to quickly compute the median salary without trusting individual 
salaries to Taulbee. Finally, secure computation of the fc*^-ranked element facilitates 
secure computation of histograms [9,16,12]. 

The problem we discuss is exactly that of secure computation. Namely, it involves 
several parties with private inputs that wish to compute a function of their joint inputs, 
and require that the process of computing the function does not reveal to an adversarial 
party (or a coalition of such parties) any information that cannot be computed using the 
input of the adversary and the output of the function. 

There exist well known solutions for secure computation of any function (see 
e.g. [18,11]). The general method employed by these solutions is to construct a combi- 
natorial circuit that computes the required function, and then run a distributed protocol 
that securely evaluates the circuit."^ The communication overhead of these generic pro- 
tocols is linear in the size of the circuit. The computation involves (at the least) running 
an oblivious transfer protocol for every input gate, or for every gate of the circuit, de- 
pending on the implementation. The fc*^-ranked element can be computed via a circuit 
of size l7(nlogM) (since reading in the input requires at least nlogM gates), which 
implies that for large values of n the overhead of a secure protocol that is constructed 
by generic constructions is too large. In another generic construction, Naor and Nis- 
sim [15] show that any two-party communication protocol can be translated into a se- 
cure computation protocol, such that a protocol with communication complexity of c 
bits is transformed to a secure protocol with overhead of 2° public key operations. This 
transformation can be applied to a protocol, due to Karchmer, for computing the median 
with log n communication bits [13]. 



Contributions We are motivated by applications where the total number of points 
owned by the parties (n) is very large, and thus even a linear communication and compu- 
tation overhead might be prohibitive. Thus, we describe protocols with sublinear com- 
munication and computation overhead. Specifically, in the two-party case, we reduce 
the computation of the fc*^-ranked element to 0(log k) secure comparisons of (log M)- 
bit inputs^, where log M is the number of bits needed to describe the elements in the 
sets Da, Db- We also show how to obtain security against malicious adversaries. In the 
multi-party case, we reduce the computation of the -ranked element to 0(log M) 
simple secure computations that involve additions and a comparison of (log M)-bit long 
numbers. Again, this protocol can be made secure against malicious adversaries. Inter- 

The interested reader can find a description of these protocols in the references above. Alter- 
natively, descriptions of the two-party protocols are available at, e.g., [14,10], and descriptions 
of the multi-party protocols can be found, for example, in [1,8,10]. 

^ If the two parties possess inputs x and y, a secure comparison reveals 0 if a; > y and 1 
otherwise, and nothing more, assuming the usual cryptographic assumptions. 
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estingly, the multi-party solution can be applied to the two-party scenario if it uses 
secure two-party protocols as primitives. The protocol can even be directly applied to 
inputs that contain duplicate items, whereas the two-party protocol requires inputs com- 
prising of distinct inputs. This is in contrast to the typical case in secure computation 
where secure multi-party protocols require the presence of an honest majority, which is 
not available in the two-party case. 

The protocols given in this paper are modifications of well known algorithms in the 
communication complexity literature [17,13]. Our contribution is the modifications and 
proofs of security that result in privacy-preserving solutions, for both semi-honest and 
malicious adversaries. In addition, we show how the parties can compute the fc*^-ranked 
element while hiding from each other the actual sizes of their databases. 



Efficient Secure Computation via Reduction and Composition We take the 
same approach as that of previous solutions for secure computation of large inputs 
(e.g. [14,6,4]), and reduce this task to many invocations of secure computation of sim- 
pler functions of small inputs (but unlike these constructions, we also design protocols 
which are secure against malicious adversaries). That is, we describe a protocol for 
computing the -ranked value which uses oracle queries to a few simple function- 
alities and is secure if these functionalities are computed by a trusted oracle. A com- 
position theorem (see [2,3] and discussions below) shows that if the oracle queries are 
replaced by secure protocols, then the resulting combined protocol is also secure. In the 
semi-honest case the oracle queries can be replaced by very simple invocations of se- 
cure function evaluation. In the malicious adversary case they are replaced by a reactive 
secure computation of a simple function. We also note that the protocol computes the 
exact value of the fc*^-ranked item, rather than computing an approximation as in [6]. 

1.1 Security Definitions and a Composition Theorem 

We describe protocols that are secure against malicious adversaries. We therefore use 
definitions that compare the actual execution of the protocol to an “ideal” implementa- 
tion, rather than use definitions that use simulation. The definitions we use follow those 
of Canetti and of Goldreich [2,10]. We also state a composition theorem that is used in 
analyzing the security of the protocols. 

A semi-honest adversary is an adversary that follows the instructions defined by the 
protocol. It might try, however, to use the information that it learns during the execution 
in order to learn information about the inputs of the other parties. A malicious adver- 
sary is an adversary that can behave arbitrarily. In particular, there are several things 
that a malicious adversary can do which we cannot hope to avoid: (1) it can refuse to 
participate in the protocol, (2) it can substitute an arbitrary value for its input, and (3) it 
can abort the protocol prematurely. Following [2,10] we do not consider here solutions 
for the fairness of the protocol (i.e. item (3) above - the early termination problem) 
since there is no perfect solution for this issue and existing solutions are quite complex. 

The security definition we use captures both the correctness and the privacy of the 
protocol. We only provide definitions for the two-party case. The definition is based 
on a comparison to the ideal model with a trusted third party (TTP), where corrupt 
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parties can choose to give an arbitrary input to the trusted party, and to terminate the 
protocol prematurely, even at a stage where they have received their output and the other 
parties have not. We limit it to the case where both parties compute the same function 

Definition 1 (The Ideal Model). A strategy for party A in the ideal model is a pair 
of PPT (probabilistic polynomial time) algorithms, Ai(^X,r) that uses the input X 
and a sequence of coin flips r to generate an input that A sends to the trusted party, 
and Ao{X,r, Z) which takes as an additional input the value Z that A receives 
from the TTP, and outputs A’s final output. If A is honest then Aj(X,r) = X and 
Ao{X, r, Z) = Z. A strategy for party B is similarly defined using functions Bj(Y, r) 
and Bo{Y, r, Z). 

The definition is limited to the case where at least one of the parties is honest. We 
call an adversary that corrupts only one of the parties an admissible adversary. The 
joint execution of A and B in the ideal model, denoted IDEAL/i,s(^) Y), is defined to 
be 

- If B is honest, 

'• IDEAU.B(W,r) equals {Ao{X,rJ{X',Y)),f{XfY)), where X' = 
Ai{X, r) (in the case that A did not abort the protocol), 

• or, IDEAL. 4 ,b(X, Y) equals {Ao{X, r, f{X', y)), — ), where X' = Ai{X, r) 
(if A terminated the protocol prematurely). 

- If A is honest 

' • IDEALA.B(A:,r) equals {f{X,Y'),Bo(Y,r,f{X,Y'))), where Y' = 
Bi{Y,r), 

• or, \DEALa, b{X,Y) equals (^—, Bo(Y,r, f{X,Y'))), where Y' = Bj(Y,r). 

In the real execution a malicious party could follow any strategy that can be imple- 
mented by a PPT algorithm. The strategy is an algorithm mapping a partial execution 
history to the next message sent by the party in the protocol. 

Definition 2 (The Real Model (for semi-honest and malicious adversaries)). Let f 

be as in Definition 1, and II be a two-party protocol for computing f. Let (A', B') be 
a pair of PPT algorithms representing the parties’ strategies. This pair is admissible 
w.r.t. n if at least one of {A' , B') is the strategy specified by II for the corresponding 
party. In the semi-honest case the other party could have an arbitrary output function. 
In the malicious case, the other party can behave arbitrarily throughout that protocol. 

The Joint execution of U in the real model, denoted REALb,a',b'(AT, Y) is defined 
as the output pair resulting from the interaction between A' (X) and B'(Y). 

The definition of security states that an execution of a secure real model protocol 
under any admissible adversary can be simulated by an admissible adversary in the ideal 
model. 

Definition 3 (Security (for both the semi-honest case and the malicious case)). Let 

f and n be as in Definition 2. Protocol II securely computes / if for every PPT pair 
(A', B') that is admissible in the real model (of Definition!) there is a PPT pair {A, B) 
that is admissible in the ideal model (of Definition 1), such that REAL/ 7 .a',b'(A', Y) is 
computationally indistinguishable from IDEAL^i Ax,y). 
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Reactive Computations A reactive computation consists of steps in which parties 
provide inputs and receive outputs. Each step generates a state which is used by the 
following step. The input that a party provides at step i can depend on the outputs that it 
received in previous steps. (We limit ourselves to synchronous communication, and to 
an environment in which there are secure channels between the parties.) The protocols 
that we design for the malicious case implement reactive computation. Security defini- 
tions and constructions for reactive computation were discussed in [3,5] (in particular, 
they enable parties to abort the protocol at arbitrary stages). We will not describe these 
definitions in this extended abstract, due to their length and detail. 

A Composition Theorem Our protocols implement the computation of the fc*^-ranked 
element by running many invocations of secure computation of simpler functionali- 
ties. Such constructions are covered by theorems of secure composition [2,3]. Loosely 
speaking, consider a hybrid model where the protocol uses a trusted party that com- 
putes the functionalities fi, . . . , fi. The secure composition theorem states that if we 
consider security in terms of comparing the real computation to the ideal model, then if 
a protocol is secure in the hybrid model, and we replace the calls to the trusted party by 
calls to secure protocols computing /i, . . . , /^, then the resulting protocol is secure. A 
secure composition theorem applies to reactive computation, too [3,5]. 

2 Two-Party Computation of the Element 

This section describes protocols for secure two-party computation of the fc*^-ranked 
element of the union of two databases. The protocols are based on the observation that 
a natural algorithm for computing the -ranked element discloses very little infor- 
mation that cannot be computed from the value of the fc*^-ranked element itself. Some 
modification to that protocol can limit the information that is leaked by the execution to 
information that can be computed from the output alone. 

To simplify the description of the basic, insecure, protocol, we describe it for the 
case of two parties, A and B, each of which has an input of size n/2, that wish to 
compute the value of the median, i.e. (n/2)*^-ranked element, of the union of their two 
inputs sorted in increasing order of their values. This protocol is a modification of the 
algorithm given in [17,13]. Assume for simplicity that all input values are different. 
The protocol operates in rounds. In each round, each party computes the median value 
of his or her input, and then the two parties compare their two median values. If A’s 
median value is smaller than B’s then A adjusts her input by removing the values which 
are less than or equal to her median, and B removes his input items which are greater 
than his median. Otherwise, A removes her items which are greater than her median 
and B removes his items which are less than or equal to his median. The protocol 
continues until the inputs are of length 1 (thus the number of rounds is logarithmic in 
the number of input items). The protocol is correct since when A’s median is smaller 
than B’s median, each of the items that A removes is smaller than A’s median, which is 
smaller than at least n/4 inputs of A and n/4 inputs of B. Therefore the removed item 
cannot be the median. Also, the protocol removes n/4 items which are smaller than the 
median and n /4 which are greater than it, and therefore the median of the new data is 
the same as that of the original input. Other cases follow similarly. 
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Suppose now that the comparison is done privately, i.e. that the parties only learn 
whose median value is greater, and do not learn any other information about each others 
median value. We show below that in this case the protocol is secure. Intuitively this 
is true since, e.g., if party A knows the median value of her input and the median of 
the union of the two inputs, and observes that her median is smaller than the median 
of the union, then she can deduce that her median value is smaller than that of B. This 
means that given the final output of the protocol party A can simulate the results of the 
comparisons. Consequently, we have a reduction from securely computing the median 
of the union to securely computing comparisons. 

Secure comparison: The main cryptographic primitive that is used by the protocol is 
a two-party protocol for secure comparison. The protocol involves two parties, where 
party A has an input x and party B has an input y. The output is 0 if a; > y and 1 
otherwise. The protocol (which essentially computes a solution to Yao’s millionaires 
problem) can be implemented by encoding the comparison function as a binary circuit 
which compares the bits encoding the two inputs, and applying to it Yao’s protocol for 
secure two-party computation. The overhead is |a;| oblivious transfers, and 0(|a;| -f |y|) 
applications of a pseudo-random function, as well as 0(|a;|-|- |y|) communication. More 
efficient, non-interactive comparison protocols also exist (see e.g. [7]). 

2.1 A Protocol for Semi-Honest and Malicious Parties 

Following is a description of a protocol that finds the -ranked element in the union 
of two databases and is secure against semi-honest parties. The computation of the 
median is a specific case where k is set to be the sum of the two inputs divided by 
two. The protocol reduces the general problem of computing the fc*^-ranked element 
of arbitrary size inputs, to the problem of computing the median of two inputs of equal 
size, which is also a power of 2. To simplify the exposition, we assume that all the 
inputs are distinct. This issue is further discussed later. 

Security against a malicious adversary. The protocol for the semi-honest case can 
be amended to be secure against malicious adversaries. The main change is that the 
protocol must now verify that the parties provide consistent inputs to the different invo- 
cations of the secure computation of the comparisons. For example, if party A gave an 
input of value 100 to a secure comparison computation, and the result was that A must 
delete all its input items which are smaller than 100, then A cannot provide an input 
which is smaller than 100 to any subsequent comparison. We provide a proof that given 
this enforcement, the protocol is secure against malicious behavior. For this protocol, 
we do not force the input elements to be integers. However, if such an enforcement is 
required (e.g. if the input consists of rounded salary data), then the protocol for the ma- 
licious case verifies that there is room for sufficiently many distinct integers between 
the reported values of different elements of the input. This is made more precise later. 

In protocol Find-Ranked-Element that we describe here, we specify the addi- 
tional /Mncho«a//fy that is required in order to ensure security against malicious parties. 
Then in Section 2.3 we describe how to implement this functionality, and prove that 
given this functionality the protocol is secure against malicious adversaries. Of course, 
to obtain a protocol which is only secure against semi-honest adversaries, one should 
ignore the additional highlighted steps that provide security in the malicious case. 
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Protocol Find-Ranked-Element 

Input: Da known to A, and Db known to B. Public parameter k (for now, we assume 
that the numerical value of the rank of the element is known). All items in Da U Db 
are distinct. 

Output: The fc*^-ranked element in Da U Db- 

1. Party A (resp., B) initializes Sa (resp., Sb) to be the sorted sequence of its 
k smallest elements in Da (resp., Db)- 

2. If |S'/i| < fc then Party A pads (fc — IS'aI) values of “+oo” to its sequence 
Sa- Party B does the same: if \Sb\ < k then it pads (fc — \Sb\) values of 
“+oo” to its sequence Sb- 

3. Let 2^ be the smallest power of 2 greater than or equal to k- Party A pre- 
pads Sa with (2^ — k) values of “-oo” and Party B pads Sb with (2^ — k) 
values of “h-oo”. (The result is two input sets of size 2^ each, whose median 
is the fc*^-ranked element in Da U Db ■) 

lu the malicious case: The protocol sets bounds Ia = Ib = —oo and 

UA = Ub = OO. 

4. Fori= (j-l),...,0: 

A. A computes the (2*)*^ element of Sa, denoted ttia, and B computes 
the (2*)*^ element of Sb, tub- (he., they compute the respective me- 
dians of their sets.) 

B. A and B engage in a secure computation which outputs 0 if ttia > 
m B , and 1 if rriA < rriB- 

lu the malicious case: The secure computation hrst checks that I a < 
rriA < Ub and Ib < rriB < ub- If we want to force the input to be 
integral, then we check that Ia + 2,^ < rriA < ua — ‘2-'' and (b -|- 2* < 
rriB < Ub — 2^ - If these conditions are not satisfied, then the protocol 
is aborted. Otherwise, if niA > uib, the protocol sets ua to be rriA 
and (b to be TTiB- Otherwise it updates I a to ttia and ub to tob- Note 
that the lower and upper bounds are not revealed to either party. 

C. If TTiA < rriB, then A removes all elements ranked 2® or less from Sa, 
while B removes all elements ranked greater than 2* from Sb - On the 
other hand, if rriA > rriB, then A removes all elements ranked higher 
than 2* from Sa, while B removes all elements ranked 2* or lower 
from Sb- 

5- (Here every party has an input set of size 1.) Party A and party B output 
the result of a secure computation of the minimum value of their respective 
elements. 

lu the malicious case: The secure computation checks that the inputs 
given in this step are consistent with the inputs given earlier. Specihcally, 
for any item other than item 2^ of the original set of A (respectively B), 
this means that the value must he equal to ua (respectively ub)- For item 
2^ of step A (respectively B), it is verified that its value is greater than I a 
(respectively Ib)- 
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Overhead: Since the value j is at most log 2k and the number of rounds of commu- 
nication is (j + 1), the total number of rounds of communication is log(2fc). In each 
round, the protocol performs at most one secure computation, which requires a com- 
parison of (log M) bit integers. Thus the total communication cost is 0(log M ■ log k) 
times the security parameter. 



Proof of Correctness Regardless of security issues, we first have to show that the pro- 
tocol indeed computes the -ranked item. We need to show that (a) The preprocessing 
performed in Steps 1-3 does not eliminate the fc*^-ranked value and (b) The (2*+^)^* 
value of 5^ U is the /c*^-ranked value in Da U Db for each i = j — 1, . . . ,0 (where 
Sa, Sb the sorted sequences maintained by parties A, B, respectively, during itera- 
tion i). These two properties are shown in Lemma 1. 

Lemma 1. In Protocol FiND-RANKED-ELEMENT, the {2'^'^^Y^ -ranked element of 
Sa U Sb in round i of Step 4 (i.e., the median) is equal to the k*^-ranked element 
in Da U DB,fori = (j - 1), . . . , 0. 

Proof. Note that in the preprocessing (Step 1) we do not eliminate the fc*^-ranked el- 
ement since the A:*^-ranked element cannot appear in position {k + 1) or higher in the 
sorted version of Da or Db- Step 2 ensures that both sequences have size exactly k 
without affecting the -ranked element (since padding is performed at the end of the 
sequences). And, Step 3 not only ensures that the length of both sequences is a power of 
2, but also pads Sa and Sb so that the (2^ )*^ element of the union of the two sequences 
is the fc*^-ranked element of Da U This establishes the Lemma for the case where 

i = {j - !)■ 

The remaining cases of i follow by induction. We have essentially transformed the 
original problem to that of computing the median between two sets of equal size 2*+^. 
Note that neither party actually removes the median of Sa U Sb'- if rriA < ttiB then 
there are 2 • 2* points in Sa and Sb that are larger than rriA and 2 • 2® points in Sa and 
Sb that are smaller than tob, thus no point in Sa that is less than or equal to rriA can 
be the median, nor can any point in Sb greater than rriB- A similar argument follows in 
the case that ttia > ttib- Furthermore, the modifications made to Sa and Sb maintain 
the median of Sa U Sb since at each iteration an equal number of elements are removed 
from above and below the median (exactly half of the points of each party are removed). 
The lemma follows. 



2.2 Security for the Semi-Honest Case 

In the semi-honest case, the security definition in the ideal model is identical to the 
definition which is based on simulation (which we haven’t explicitly described). Thus, 
it is sufficient to show that, assuming that the number of elements held by each party is 
public information, party A (and similarly party B), given its own input and the value of 
the fc*^-ranked element, can simulate the execution of the protocol in the hybrid model, 
where the comparisons are done by a trusted party (the proof follows by the composition 
theorem). We describe the proof detail for the case of party A simulating the execution. 
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Let X be the fc*^-ranked element which the protocol is supposed to find. Then, party A 
simulates the protocol as follows: 

Algorithm Simulate-Find-Rank 

Input: Da and x known to A. Public parameter k. All items in Da U Db are distinct. 
Output: Simulation of running the protocol for finding the fc*^-ranked element in Da U 
Db- 

1 . Party A initializes Sa to be the sorted sequence of its k smallest elements 
in Da 

2. If |S'/i| < fc then Party A pads {k — IS'aI) values of “h-oo” to its sequence 

3. Let 2^ be the smallest power of 2 larger than k. Party A pre-pads Sa with 
(2^ — k) values of “-oo”. 

4. Fori = (j-l),...,0: 

A. A computes the (2*)*^ element of Sa, tua 

B. If niA < X, then the secure computation is made to output 1, i.e., 

TUA < mB, else it outputs 0. 

C. If niA < X, then A removes all elements ranked 2* or less from Sa- 
On the other hand, if a; < niA, then A removes all elements ranked 
higher than 2* from Sa- 

5. The final secure computation outputs 1 if ttia < x and 0 otherwise (in this 
case niA = a; is the median). 



Lemma 2. The transcript generated by Algorithm Simulate-Find-Rank is the same 
as the transcript generated by Protocol Find-Ranked-Element. In addition, the 
state information that Party A has after each iteration of Step 4, namely (Sa, k), cor- 
rectly reflects the state of Protocol Find-Ranked-Element after the same iteration. 

Proof. We prove the lemma by induction on the number of iterations. Assume that the 
lemma is true at the beginning of an iteration of Step 4, i.e. Algorithm SlMULATE- 
Find-Rank has been correctly simulating Protocol Find-Ranked-Element and its 
state correctly reflects the state of Protocol Find-Ranked-Element at the beginning 
of the iteration. We show that tua < x \f and only if rriA < rriB- If rriA < x then 
the number of points in S\ smaller than x is at least 2®. If by way of contradiction 
rriB < ixiA, then tob < x, implying that the number of points in 5'^ smaller than x 
is at least 2L Thus the total number of points in S\ U 5^ smaller than x would be at 
least 2*+^, contradicting that x is the median. So, tua < niB- On the other hand, if 
rriA < rriB, and by way of contradiction, rriA > x, then x < rriA < rriB- Thus the 
number of points in Sb greater than x is strictly more than 2*. Also, at least 2® points in 
S\ are greater than x. Thus, the number of points in S\ U S'g greater than x is strictly 
more than 2*+^, again contradicting that x is the median. So, rriA < x. Thus, the secure 
computations in Step 4 of Algorithm Simulate-Find-Rank return the same outputs as in 
Protocol Find-Ranked-Element. 
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Duplicate Items Protocol Find-Ranked-Element preserves privacy as long as no 
two input elements are identical (this restriction must be met for each party’s input, and 
also for the union of the two inputs). The reason for this restriction is that the execution 
of the protocol reveals to each party the exact number of elements in the other party’s 
input which are smaller than the item of the union of the two inputs. If all elements 
are distinct then given the -ranked value each party can compute the number of 
elements in its own input that are smaller than it, and therefore also the number of such 
elements in the other party’s input. This information is sufficient for simulating the 
execution of the protocol. However, if the input contains identical elements then given 
the /c*^-ranked value it is impossible to compute the exact number of elements in the 
other party’s input which are smaller than it and to simulate the protocol. (For example, 
if several items in A’s input are equal to the -ranked element then the protocol could 
have ended with a comparison involving any one of them. Therefore A does not know 
which of the possible executions took place.) 

Handling duplicate items Protocol Find-Ranked-Element-MultiParty in Sec- 
tion 3 can securely computed the fc*^-ranked item even if the inputs contain duplicate 
elements, and can be applied to the two-party case (although with log M rounds, in- 
stead of log k). Also, protocol Find-Ranked-Element can be applied to inputs that 
might contain identical elements, if they are transformed into inputs containing distinct 
elements. This can be done, for example, in the following way: Let the total number of 
elements in each party’s input be n. Add [log n] + I bits to every input element, in the 
least signihcant positions. For every element in A’s input let these bits be a “0” followed 
by the rank of the element in a sorted list of A’s input values. Apply the same procedure 
to B’s inputs using a “1” instead of a “0”. Now run the original protocol using the new 
inputs, but ensure that the output does not include the new least significant bits of the 
k*^ item. The protocol is privacy preserving with regard to the new inputs (which are all 
distinct). Also, this protocol does not reveal to party A more information than running 
the original protocol with the original inputs and in addition providing A with the num- 
ber of items in B’s input which are smaller than the k*^ value (the same holds of course 
w.r.t. B). This property can be verihed by observing that if A is given the fc*^-ranked 
element of the union of the two inputs, as well as the number of elements in H’s input 
which are smaller than this value, it can simulate the operation of the new protocol with 
the transformed input elements. 

Hiding the Size of the Inputs Assume that the parties wish to hide from each other the 
size of their inputs. Note that if k is public then the protocol that we described indeed 
hides the sizes of the inputs, since each party transforms its input to one of size k. This 
solution in insufficient, though, if k discloses information about the input sizes. For 
example, if the protocol computes the median, then k is equal to half the sum of the 
sizes of the two inputs. We next show now how to hide the size of the inputs when the 
two parties wish to compute the value of the percentile, which includes the case of 
computing the median (which is the 50*^ percentile). 

-Percentile The percentile is the element with rank [ • {\Da \ + I-Db |)] . We 

assume that an upper bound U on the number of elements held by each party is known. 
Both parties hrst pad their inputs to get U elements each, in a way that keeps the value 
of the percentile. For this, if a party A needs to add X = U — \Da \ elements to its 
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input, it adds -^X elements with value — oo and ^ elements with value +oo 

(to simplify the exposition, we assume that ^X is an integer). Party B acts in a similar 
way. Then the parties engage in a secure computation of the percentile, which is the 
( • 2C/)*^-ranked element of the new inputs, using the protocol we described above. 

2.3 Security for the Malicious Case 

We assume that the comparison protocol is secure against malicious parties. We then 
show that although the malicious party can choose its input values adaptively during 
the execution of the protocol, it could as well have constructed an input apriori and 
given it to a trusted third party to get the same output. In other words, although the 
adversary can define the values of its input points depending on whether that input point 
needs to be compared or not in our protocol, this does not give it any more power. The 
proof is composed of two parts. First, we show that the functionality provided by the 
protocol definition provides the required security. Second, we show how to implement 
this functionality efficiently. 

Lemma 3. For every adversary A! in the real model there is an adversary A" in the 
ideal model, such that the outputs generated by A! and A” are computationally indis- 
tinguishable. 

Proof Sketch: Based on the composition theorem, we can consider only a protocol in 
the hybrid model where we assume that the comparisons are done securely by a trusted 
party. (We actually need here a composition theorem for a reactive scenario. We refer 
the reader to [3,5] for a treatment of this issue.) 

Visualize the operation of A' as a binary tree. The root is the first comparison it 
performs in the protocol. Its left child is the comparison which is done if the answer to 
the first comparison is 0, and the right child is the comparison that happens if the first 
answer is 1. The tree is constructed recursively following this structure, where every 
node corresponds to a comparison done at Step 4(B). We add leaves corresponding to 
the secure computation of Step 5 of the protocol following the sequence of comparisons 
that lead to a leaf. 

Fix the random input used by the adversary A' . We also limit ourselves to adver- 
saries that provide inputs that correspond to the bounds maintained by the protocol 
(otherwise the protocol aborts as in early termination, and since this is legitimate in the 
ideal model, we are done). We must generate an input to the trusted party that corre- 
sponds to the operation of A' . Let us run A' where we provide it with the output of 
the comparisons. We go over all execution paths (i.e. paths in the tree) by stopping and 
rewinding the operation. (This is possible since the tree is of logarithmic depth.) Note 
that each of the internal nodes corresponds to a comparison involving a different loca- 
tion in the sorted list that A! is required to generate according to the protocol. Associate 
with each node the value that A! provides to the corresponding comparison. 

Observe the following facts: 

- For any three internal nodes L, A, R where L and R are the left and right children 

of A, the bounds checked by the protocol enforce that the value of L is smaller than 

that of A, which is smaller than that of R. Furthermore, an inorder traversal of the 
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internal nodes of the tree results in a list of distinct values appearing in ascending 
order. 

- When the computation reaches a leaf (Step 5), A! provides a single value to a com- 
parison. For the rightmost leaf, the value is larger than any value seen till now, while 
for each of the remaining leaves, the value is the same as the value on the rightmost 
internal node on the path from the root to the leaf (this is enforced by checking that 
the value is the same as ua or ub respectively). 

- Each item in the input of A is used in at most a single internal node, and exactly a 
single leaf of the tree. 

Consequently, the values associated with the leaves are sorted, and agree with all the 
values that A provides to comparisons in the protocol. We therefore use these values 
as the input to the trusted third party in the ideal model. When we receive the output 
from the trusted party we simulate the route that the execution takes in the tree, provide 
outputs to A and B, and perform any additional operation that A might apply to its 
view in the protocol.® □ 



Implementing the Functionality of the Malicious Case Protocol The functionality 
that is required for the malicious case consists of using the results of the hrst i com- 
parisons in order to impose bounds on the possible inputs to the following comparison. 
This is a reactive secure computation, which consists of several steps, where each step 
operates based on input from the parties and state information that is delivered from the 
previous step. This scenario, as well as appropriate security dehnitions and construc- 
tions, was described in [3,5]. (We are interested, however, in a simpler synchronous 
environment with secure channels.) 

In order to implement secure reactive computation, each step should output shares 
of a state-information string, which are then input to the following step. The shares 
must be encrypted and authenticated by the secure computation, and be verihed and 
decrypted by the secure computation of the following step. This functionality can be 
generically added to the secure computation 



3 Multi-party Computation of the Ranked Element 

We now describe a protocol that outputs the exact value of the -ranked element of the 
union of multiple databases. For this protocol we assume that the elements of the sets are 
integer- valued, but they need not be distinct. Let [a, (3] be the (publicly-known) range 
of input values, and let M = /3 — a + 1. The protocol runs a series of rounds in which 
it (1) suggests a value for the -ranked element, (2) performs a secure computation to 
which each party reports the number of its inputs which are smaller than this suggested 
value, adds these numbers and compares the result to k, and (3) updates the guess. The 
niimher of rou nds of the protocol is logarithmic in M. 

® Note that we are assuming that the inputs can be arbitrary Real numbers. If, on the other hand, 
there is some restriction on the form of the inputs, the protocol must verify that A provides 
values which are consistent with this restriction. For example, if the inputs are integers then the 
protocol must verify that the distance between the reported median and the bounds is at least 
half the number of items in the party’s input (otherwise the input items cannot be distinct). 
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Malicious adversaries. We describe a protocol which is secure against semi-honest 
adversaries. Again, the protocol can be amended to be secure against malicious adver- 
saries by verifying that the parties are providing it with consistent inputs. We specify in 
the protocol the additional functionality that should be implemented in order to provide 
security against malicious adversaries. 

Protocol Find-Ranked-Element-MultiParty 

Input: Party Pi, 1 < z < s, has database Di. The sizes of the databases are public, as 
is the value k. The range [a, /3] is also public. 

Output: The fc*^-ranked element in I?i U • • • U 

1. Each party ranks its elements in ascending order. Initialize the current 
range [a, b] to [a, f3] and set n = X) 1^* I- 

In the malicious case: Set for each party i bounds (Z)* = 0, {gY = 0. 
These values are used to bound the inputs that party i reports in the pro- 
tocol. {ly reflects the number of inputs of party i strictly smaller than the 
current range, while {gY reflects the number of inputs of party i strictly 
greater than the current range. 

2. Repeat until “done” 

(a) Set TO = \{a + b)/2\ and announce it. 

(b) Each party computes the number of elements in its database which are 
strictly smaller than to, and the number of elements strictly greater 
than TO. Let Y and gi be these values for party i. 

(c) The parties engage in the following secure computation: 

In the malicious case: Verify for every party i that Y + 9^ < lAl, 

Y > (0*’ 9i ^ (s)*- addition, if to = a, then we check that 

Y = 0; or if TO = (3, we verify that gi = 0. 

- Output “done” if ~Y^Y < k — 1 and ^ gi < n — k. (This means 
that TO is the Zc‘^-ranked item.) 

- Output “0” if X) '^his case set 6 = to — 1. (This means 

that the -ranked element is smaller than to.) 

In the malicious case: Set {gY = |Pj| — Y- (Since the left end- 
point of the range remains the same, (()* remains unchanged.) 

- Output‘T”if ^ (/i > n— fc-f 1. In this case set a = TO-f 1. (This 
means that the fc*^-ranked element is larger than to.) 

In the malicious case: Set (Z)* = \Di\ — gi. 

Correctness: The correctness of this algorithm follows from observing that if to 
is the -ranked element then the first condition will be met and the algorithm will 
output it. In the other two cases, the -ranked element is in the reduced range that the 
algorithm retains. 

Overhead: The number of rounds is log M . Each round requires a secure multi- 
party computation that computes two summations and performs two comparisons. The 
size of the circuit implementing this computation is 0(s log M), which is also the 
number of input bits. The secure evaluation can be implemented using the protocols 
of [11,1,8]. 
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Security for the semi-honest case: We provide a sketch of a proof for the security of 
the protocol. Assume that the multi-party computation in step 2(c) is done by a trusted 
party. Denote this scenario as the hybrid model. We show that in this case the protocol is 
secure against an adversary that controls up to s — 1 of the parties. Now, implement the 
multi-party computation by a protocol which is secure against an adversary that controls 
up to t parties, e.g. using [11,1,8]. (Of course, f < s — 1 in the actual implementation, 
since the protocols computing the “simple” functionalities used in the hybrid model are 
not secure against s — 1 parties, but rather against, say, any coalition of less than s/3 
corrupt parties.) It follows from the composition theorem that the resulting protocol is 
secure against this adversary. 

In the hybrid model, the adversary can simulate its view of the execution of the 
protocol, given the output of the protocol (and without even using its input). Indeed, 
knowing the range [a, b] that is used at the beginning of a round, the adversary can 
compute the target value m used in that round. If m is the same as the output, it con- 
cludes that the protocol must have ended in this round with m as the output (if the real 
execution did not output m at this stage, m would have been removed from the range 
and could not have been output). Otherwise, it simply updates the range to that side of 
m which contains the output (if the real execution had not done the same, the output 
would have gone out of the active range and could not have been the output). Along 
with the knowledge of the initial range, this shows that the adversary can simulate the 
execution of the protocol. 

Security for the malicious case: We show that the protocol is secure given a secure 
implementation of the functionality that is described in Step 3 of algorithm FlND- 
Ranked-Element-MultiParty. Since this is a multi-party reactive system we refer 
the reader to [3,5] for a description of such a secure implementation. (The idea is that 
the parties run a secure computation of each step using, e.g., the protocol of [1]. The 
output contains encrypted and authenticated shares of the current state, which are then 
input to the computation of the following step, and checked by it.) 

For every adversary that corrupts up to s — 1 parties in the computation in the 
hybrid model, there is an adversary with the same power in the ideal model. We limit 
the analysis to adversaries that provide inputs that agree with all the boundary checks 
in the algorithm (otherwise the protocol aborts, and this is a legitimate outcome in the 
ideal model). 

Imagine a tree of size M corresponding to the comparisons done in the protocol 
(i.e. the root being the comparison for to = (/? — a)/2, etc.). Consider also the range 
[a, (3] where each element is associated with the single node u in the tree in which 
TO is set to the value of this element. Fix the random values (coin flips) used by the 
adversary in its operation. Run the adversary, with rewinding, checking the values that 
are given by each of the parties it controls to each of the comparisons. The values that 
party i provides to the comparison of node u define, for the corresponding element in 
the range, the number of items in the input of party i which are smaller than, larger than, 
and equal to that value. 

Assume that we first examine the adversary’s behavior for the root node, then for 
the two children of the root, and continue layer by layer in the tree. Then the boundary 
checks ensure that the nodes are consistent. Let e„, denote the number of items 
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that are specified by the adversary to be less than, equal to, and greater than u, respec- 
tively. Then, for any three nodes L, A, R that appear in this order in an inorder traversal 
of the tree, the boundary checks ensure that II + < I a and gR + cr < gA- Since 

Ia + CA + gA = Ir + cr + gR, the second inequality implies that Ia + ba < Ir- 
Thus, for any two nodes u and v with u < u, we have -f e„ < ly. In particular, for 
i = a, . . . , /3 — 1, we have k + Ci < k+i, which implies that < I /3 + eg — la ■ 

Since la = 0 and gg = 0 (enforced by our checks), we know that Ig + eg — la = Di. 
Thus, Ci = li+\ — li for a < i < (3. 

We use the result of this examination to define the input that each corrupt party 
provides to the trusted party in the ideal model. We set the input to contain e„ items of 
value u, for every u G [a, f}\. The trusted party computes the value (say, using the 
same algorithms as in the protocol). Since in the protocol itself the values provided by 
each party depend only on the results of previous comparisons (i.e. path in the tree) the 
output of the trusted party is the same as in the protocol. 
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Abstract. We describe a short signature scheme which is existentially 
unforgeable under a chosen message attack without using random ora- 
cles. The security of our scheme depends on a new complexity assumption 
we call the Strong Diffie-Hellman assumption. This assumption has sim- 
ilar properties to the Strong RSA assumption, hence the name. Strong 
RSA was previously used to construct signature schemes without ran- 
dom oracles. However, signatures generated by our scheme are much 
shorter and simpler than signatures from schemes based on Strong RSA. 
Furthermore, our scheme provides a limited form of message recovery. 



1 Introduction 

Boneh, Lynn, and Shacham (BLS) [BLSOl] recently proposed a short digital 
signature scheme where signatures are about half the size of DSA signatures 
with the same level of security. Security is based on the Computational Diffie- 
Hellman (CDH) assumption on certain elliptic curves. The scheme is shown to 
be existentially unforgeable under a chosen message attack in the random oracle 
model. 

In this paper we describe a signature scheme where signatures are almost as 
short as BLS signatures, but whose security does not require random oracles. 
We prove security of our scheme using a complexity assumption we call the 
Strong Diffie-Hellman assumption, or SDH for short. Roughly speaking, the q- 
SDH assumption in a group G of prime order p states that the following problem 
is intractable: given g, g^, g^^ \ - € G as input, output a pair (c, 

where c G Z*. Precise definitions are given in Section 2.3. Using this assumption 
we construct a signature scheme that is existentially unforgeable under a chosen 
message attack without using random oracles. 

Currently, the most practical signature schemes secure without random or- 
acles [GHR99, CSOO] are based on the Strong RSA assumption (given an RSA 
modulus N and s € it is difficult to construct a non-trivial pair (c, where 
c G Z). Roughly speaking, what makes Strong RSA so useful for constructing 
secure signature schemes is the following property: given a Strong RSA problem 
instance {N, s) it is possible to construct a new instance {N, s') with q known 
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solutions (cj, where the construction of any other solution (c, (s')^/°) 

makes it possible to solve the original problem instance. This property provides 
a way to prove security against a chosen message attack. In Section 3.1 we show 
that the g-SDH problem has a similar property. Hence, g-SDH may be viewed as 
a discrete logarithm analogue of the Strong RSA assumption. We believe that 
the properties of g-SDH make it a useful tool for constructing cryptographic 
systems and we expect to see many other systems based on it. 

To gain some confidence in the g-SDH assumption we provide in Section 5 a 
lower bound on the computational complexity of solving the g-SDH problem in 
a generic group model. This shows that no generic attack on q-SDH is possible. 
Mitsunari, Sakai, and Kasahara [MSK02] previously used a weaker variant of 
the g-SDH assumption to construct a traitor tracing scheme. The ideas in their 
paper are nice, and we use some of them here. Unfortunately, their application 
to tracing traitors is insecure [TSNZ03]. 

We present our secure signature scheme in Section 3 and prove its security 
against existential forgery under chosen message attack. The resulting signa- 
tures are as short as DSA signatures, but are provably secure in the absence 
of random oracles. Our signatures also support limited message recovery, which 
makes it possible to further reduce the total length of a message/signature pair. 
In Section 4 we show that with random oracles the g-SDH assumption gives even 
shorter signatures. A related system using random oracles was recently described 
by Zhang et al. [ZSNS04]. 

We refer to [BLSOl] for applications of short signatures. We only mention 
that short digital signatures are needed in environments with stringent band- 
width constraints, such as bar-coded digital signatures on postage stamps [NSOO, 
PVOO]. We also note that Patarin et al. [PCGOl, CDF03] construct short signa- 
tures whose security depends on the Hidden Field Equation (HFE) problem. 

2 Preliminaries 

Before presenting our results we briefly review two notions of security for sig- 
nature schemes, review the definition for groups equipped with a bilinear map, 
and precisely state the g-SDH assumption. 

2.1 Secure Signature Schemes 

A signature scheme is made up of three algorithms, KeyGen, Sign, and Verify, 
for generating keys, signing, and verifying signatures, respectively. 

Strong Existential Unforgeability 

The standard notion of security for a signature scheme is called existential un- 
forgeability under a chosen message attack [GMR88]. We consider a slightly 
stronger notion of security, called strong existential unforgeability [ADR02], 
which is defined using the following game between a challenger and an adver- 
sary A: 
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Setup: The challenger runs algorithm KeyGen to obtain a public key PK 
and a private key SK. The adversary A is given PK. 

Queries: Proceeding adaptively, A requests signatures on at most qs mes- 
sages of his choice Mi, . . . , Mq^ G {0,1}*, under PK. The challenger 
responds to each query with a signature ai = Sign{SK, Mi). 

Output: Eventually, A outputs a pair (M, cr) and wins the game if 

(1) (M,a) is not any of (Mi, cti), . . . , (M,^, ct^J, and 

(2) Verify{PK, M, a) = valid. 

We define AdvSig _4 to be the probability that A wins in the above game, taken 
over the coin tosses made by A and the challenger. 

Definition 1. A forger A ft, qs,e) -breaks a signature scheme if A runs in time 
at most t, A makes at most qs signature queries, and AdvSig _4 is at least e. A 
signature scheme is {t,qs,e)~ existentially unforgeable under an adaptive chosen 
message attack if no forger ft, qs, e) -breaks it. 

When proving security in the random oracle model we add a fourth parameter 
qn denoting an upper bound on the number of queries that the adversary A 
makes to the random oracle. 

We note that the definition above captures a stronger version of existential 
unforgeability than the standard one: we require that the adversary cannot even 
generate a new signature on a previously signed message. This property is re- 
quired for some applications [ADR02, Sah99, CHK04]. All our signature schemes 
satisfy this stronger security notion. 

Weak Chosen Message Attacks 

We will also use a weaker notion of security which we call existential unforge- 
ability under a weak chosen message attack. Here we require that the adversary 
submit all signature queries before seeing the public key. This notion is defined 
using the following game between a challenger and an adversary A: 

Query: A sends the challenger a list of qs messages Mi, . . . , Mq^ G (0, 1}*. 
Response: The challenger runs algorithm KeyGen to generate a public 
key PK and private key SK. Next, the challenger generates signatures 
(Ti = Sign{SK, Mi) for i = l,...,qg. The challenger then gives A the 
public key PK and the qs signatures ai, ... , Oq^ . 

Output: Algorithm A outputs a pair (M, cr) and wins the game if 

(1) M is not any of Mi, . . . , Mq^, and 

(2) Verify{PK, M, a) = valid. 

We define AdvW-Sig _4 to be the probability that A wins in the above game, 
taken over the coin tosses of A and the challenger. 

Definition 2. A forger A ft, qs,e) -weakly breaks a signature scheme if A runs 
in time at most t, A makes at most qs signature queries, and AdvW-Sig _4 is 
at least e. A signature scheme is ft, qs,e)- existentially unforgeable under a weak 
chosen message attack if no forger ft, qs, e) -weakly breaks it. 
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2.2 Bilinear Groups 

Signature verification in our scheme requires a bilinear map. We briefly review 
the necessary facts about bilinear maps and bilinear map groups. We follow the 
notation in [BLSOl]: 

1. Gi and G2 are two (multiplicative) cyclic groups of prime order p; 

2. gi is a generator of Gi and 32 is a generator of G2; 

3. is an isomorphism from G2 to Gi, with ip (92) = 9i', and 

4. e is a bilinear map e : Gi x G2 ^ Gt. 

For simplicity one can set Gi = G2. However, as in [BLSOl], we allow for 
the more general case where Gi yf G2 so that we can take advantage of certain 
families of elliptic curves to obtain short signatures. Specifically, elements of 
Gi have a short representation whereas elements of G2 may not. The proofs 
of security require an efficiently computable isomorphism ip : G2 ^ Gi. When 
Gi = G2 and gi = g2 one could take ip to be the identity map. On elliptic curves 
we can use the trace map as ip. 

Let thus Gi and G2 be two groups as above, with an additional group Gt 
such that |Gi| = IG2I = |Gt|. A bilinear map is a map e : Gi x G2 ^ Gt with 
the following properties: 

1. Bilinear: for all u S Gi,v G G2 and a,b e(u“,u^) = e{u,v)°'^. 

2. Non-degenerate: e((/i, (72) 1. 

We say that (Gi,G2) are bilinear groups if there exists a group Gt, an 
isomorphism ip : G2 ^ Gi, and a bilinear map e : Gi x G2 ^ Gt as above, and 
e. Ip, and the group action in Gi, G2, and Gt can be computed efficiently. 

Joux and Nguyen [JNOl] showed that an efficiently computable bilinear map e 
provides an algorithm for solving the Decision Diffie-Hellman problem (DDH). 
Our results can be stated using a generic algorithm for DDH. Nevertheless, for 
the sake of concreteness we instead describe our results by directly referring to 
the bilinear map. 

2.3 The Strong DifRe-Hellman Assumption 

Before describing the new signature schemes, we first state precisely the hardness 
assumption on which they are based. Let Gi,G2 be two cyclic groups of prime 
order p, where possibly Gi = G2. Let gi be a generator of Gi and g2 a generator 
of G2. 



q-Strong Diffie-Hellman Problem. The g-SDH problem in (Gi,G2) is defined as 
follows: given a, {q 2)-tuple (51,52,52,1/2* \ ■ ,52* input, output a pair 

(c, where c G Z*. An algorithm A has advantage e in solving g-SDH in 

(Gi, G2) if 

A(5i,52,5f,---,52*"^) = (c, 



Pr 



> e 



where the probability is over the random choice of x in Z* and the random bits 
consumed by A. 
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Definition 3. We say that the {q,t,e)-SDH assumption holds in (61,62) if 
no t-time algorithm has advantage at least e in solving the q-SDH problem in 
(61,62). 

Occasionally we drop the t and e and refer to the g-SDH assumption rather 
than the {q, t, e)-SDH assumption. As we will see in the next section the g-SDH 
assumption has similar properties to the Strong RSA problem and we therefore 
view q-SDH as a discrete logarithm analogue of the Strong RSA assumption. 

To provide some confidence in the q-SDH assumption, we prove in Section 5 
a lower bound on the complexity of solving the q-SDH problem in a generic 
group. Furthermore, we note that the Strong Diffie-Hellman problem has a simple 
random self-reduction in (61,62). 

A weaker version of the q-SDH assumption was previously used by Mit- 
sunari, Sakai, and Kasahara [MSK02] to construct a traitor tracing system 
(see [TSNZ03] for an analysis) . Using our notation, their version of the assump- 
tion requires Algorithm A to output for a given input value c. In the 

assumption above we allow A to choose c. When c is pre-specified the q-SDH 
problem is equivalent to the following problem: given (qi, q27 <?2 1 52 >---)52 ) 
output Si^*. We note that when A is allowed to choose c no such equivalence is 
known. The weaker variant of the assumption was recently used to construct an 
efficient selective identity secure identity based encryption (IBE) system without 
random oracles [BB04a]. 

3 Short Signatures Without Random Oracles 

We now construct a fully secure short signature scheme in the standard model 
using the q-SDH assumption. We consider this to be the main result of the paper. 

Let (61,62) be bilinear groups where |6i| = I62I = p for some prime p. 
As usual, qi is a generator of 61 and g2 a generator of 62. For the moment we 
assume that the messages m to be signed are elements in Z*, but as we mention 
in Section 3.5, the domain can be extended to all of {0, 1}* using a collision 
resistant hash function H : {0, 1}* ^ Z*. 

R. 

Key generation: Pick random x,y ^ Z*, and compute m ^ qf G 62 and 
u ^ q| G 62. The public key is (qi,q2,u,u). The secret key is {x,y). 
Signing: Given a secret key x,y £ Z* and a message m G Z*, pick a random 
r G Z* and compute a ^ gi/A+m+yr) ^ Here l/(a;-|-TO-|-qr) is computed 
modulo p. In the unlikely event that a; -I- to -I- qr = 0 we try again with a 
different random r. The signature is (ct, r). 

Verification: Given a public key (gi,g2,u,v), a message to G Z*, and a signa- 
ture (ct, r), verify that 



e(cr, u-g^ -v^) = e(qi,q2) 

If the equality holds the result is valid; otherwise the result is invalid. 
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Signature length. A signature contains two elements (ct, r), each of length ap- 
proximately log2(p) bits, therefore the total signature length is approximately 
21og2(p). When using the elliptic curves described in [BLSOl] we obtain a signa- 
ture whose length is approximately the same as a DSA signature with the same 
security, but which is provably existentially unforgeable under a chosen message 
attack without the random oracle model. 

Performance. Key and signature generation times are comparable to BLS signa- 
tures. Verification time is faster since verification requires only one pairing and 
one multi-exponentiation. The value 6(31,32) only needs to be computed at ini- 
tialization time and cached. In comparison, BLS signature verification requires 
two pairing computations. Since exponentiation tends to be significantly faster 
than pairing, signature verification is faster than in the BLS system. 

Security. The following theorem shows that the scheme above is existentially 
unforgeable in the strong sense under chosen message attacks, provided that the 
g-SDH assumption holds in (61,62). 

Theorem 1. Suppose the {q,t' ,e')-SDH assumption holds in (61,62). Then the 
signature scheme above is (f,qs,e) -secure against existential forgery under a cho- 
sen message attack provided that 

t <t' — oft') , <Zs < <7 o.'nd e > 2{e' -\- qs/p) ~ 

Proof. We prove the theorem using two lemmas. In Lemma 1 , we first describe a 
simplified signature scheme and prove its existential unforgeability against weak 
chosen message attacks under the 3-SDH assumption. In Lemma 2 , we then show 
that the security of the weak scheme implies the security of the full scheme. From 
these results (Lemmas 1 and 2 ), Theorem 1 follows easily. We present the proof 
in two steps since the construction used to prove Lemma 1 will be used later on 
in the paper. □ 



3.1 A Weakly Secure Short Signature Scheme 

We first show how the 3-SDH assumption can be used to construct an existen- 
tially unforgeable scheme under a weak chosen message attack. This construction 
demonstrates the main properties of the g-SDH assumption. In the next section 
we show that the security of this weak scheme implies the security of the full 
scheme above. 

The weakly secure short signature scheme is as follows. As before, let (61, 62) 
be bilinear groups where |6i| = [62 1 = p for some prime p. As usual, 31 is a 
generator of 61 and 32 a generator of 62. For the moment we assume that the 
messages m to be signed are elements in Z*. 

R. 

Key generation: Pick random x ^ Z*, and compute u <— 3f G 62. The public 
key is (31,32,^). The secret key is x. 
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Signing: Given a secret key x G Z* and a message m G Z*, output the signature 

a <— g Here l/(a: + m) is computed modulo p. By convention in 

this context we define 1/0 to be 0 so that in the unlikely event that a: + m = 0 
we have ct <— 1. 

Verification: Given a public key {gi,g2, v), a message m G Z*, and a signature 
(T G Gi, verify that 

e{(J,v g^) = e{gi,g2) 

If equality holds output valid. If cr = 1 and v • = 1 output valid. 

Otherwise, output invalid. 

We show that the basic signature scheme above is existentially unforgeable 
under a weak chosen message attack. The proof of the following lemma uses a 
similar method to the proof of Theorem 3.5 of Mitsunari et al. [MSK02]. 

Lemma 1. Suppose the {q,t' ,e)-SDH assumption holds in (61,62). Then the 
basic signature scheme above is (t,qs,e) -secure against existential forgery under 
a weak chosen message attack provided that 

t <t' — 0{q^) and qs < Q 

Proof. Assume A is a forger that {t, qg, e)-breaks the signature scheme. We con- 
struct an algorithm B that, by interacting with A, solves the q-SDH problem in 
time t' with advantage e. Algorithm B is given an instance (gi,g2,Ai, . . . ,Ag) 

of the g-SDH problem, where Ai = g^^ ^ G 62 for i = 1 , . . . , g and for some 
unknown x G Z*. For convenience we set Aq = g2- Algorithm B's goal is to 

produce a pair {c, g \^ for some c G Z*. Algorithm B does so by interacting 
with the forger A as follows: 

Query: Algorithm A outputs a list of distinct qg messages toi, . . . ,mq^ G Z*, 
where qg < q. Since A must reveal its queries up front, we may assume that 
A outputs exactly q — l messages to be signed (if the actual number is less, 
we can always virtually reduce the value of q so that q = qg 1). 
Response: B must respond with a public key and signatures on the q—l mes- 
sages from A. Let f{y) be the polynomial f{y) = 111=1 Expand f{y) 

and write f{y) = X)i=o where ao , . . . , Og-i G Zp are the coefficients of 
the polynomial f{y). Gompute: 

g'2 - n and h^f[ = gd^^^ = {g',T 

z— 0 i—1 

Also, let g[ = if{g'2)- The public key given to A is {g'i,g2, h). Next, for each 
i = 1 , ... g — 1, Algorithm B must generate a signature ai on mi. To do so, 
let fi{y) be the polynomial f^{y) = f{y)/{y + mi) = 
before, we expand fi and write fi{y) = PjyT Gompute 

^ if G G2 

j=0 




Short Signatures Without Random Oracles 



63 



Observe that Gi = V’(5'i) € Gi is a valid signature on m under the public 
key {g'ng' 2 , h). Algorithm B gives A the g — 1 signatures cti, . . . , Gq-\. 
Output: Algorithm A returns a forgery such that ct* G Gi is a valid 

signature on to* G Z* and to* ^ {toi . . . , TOg_i} since there is only one valid 
signature per message. In other words, e(cr*,/i • ( 52 )"^*) = ^{g'iig' 2 )- Since 
h = {g' 2 )^ we have that e((j*, = ^igiig' 2 ) therefore 

(T* = (g;)l/(-+™.) = (^^)/( 0 / 0 +-.) ( 1 ) 

Using long division we write the polynomial / as f{y) = l{y){y + rnA) + 7 -i 
for some polynomial 7 ( 2 /) = X)i=o &nd some 7 _i G Zp. Then the rational 
fraction /(y)/(y + TO*) in the exponent on the right side of Equation (1) can 
be written as 

q-2 

f{y)/{y + TO*) = -fiv" 

2 / + m* ^ 

Note that 7 _i yf 0, since f{y) = 0?=! ( 2 / + ’^i) ^nd to* ^ {toi, . . . ,TOg_i}, 
as thus {y + to*) does not divide f{y). Then algorithm B computes 

/ 9-1 

W ^ ( ^* ■ II 

\ i=0 

and returns (rrit^w) as the solution to the g-SDH instance. 

The claimed bounds are obvious by construction of the reduction. □ 

3.2 Prom Weak Security to Full Security 

We now present a reduction from the security of the basic scheme of Lemma 1 
to the security of the full signature scheme described at the onset of Section 3. 
This will complete the proof of Theorem 1. 

Lemma 2. Suppose that the basic signature scheme of Lemma 1 is {t',qs,e')~ 
weakly secure. Then the full signature scheme is (t,qs,e) -secure against existen- 
tial forgery under a chosen message attack provided that 

t <t' — 0{qs) and e > 2{e' + qs/p) « 2 e' 

Proof. Assume A is a forger that {t, qg, e)-breaks the full signature scheme. We 
construct an algorithm B that (t-\-0{qs), qs, e/2 — gg/p)-weakly breaks the basic 
signature scheme of Lemma 1. 

Before describing Algorithm B we distinguish between two types of forgers 
that A can emulate. Let (/ii, / 12 , u, v) be the public key given to forger A where 
M = gf and v = g^. Suppose A asks for signatures on messages toi , . . . , TOg^ G Z* 
and is given signatures {ai,ri) for i = l,...,gg on these messages. Let Wi = 
mi + yvi and let be the forgery produced by A. We distinguish 

between two types of forgers: 



\ 1/7-1 

j 
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Type-1 forger: a forger that either (i) makes a signature query for the message 
m = —X, or (ii) outputs a forgery where rrii, + yrt. ^ {wi, . . . , Wq^}. 

Type-2 forger: a forger that (i) never makes a signature query for the message 
m = —X, and (ii) outputs a forgery where m* -I- j/r* = Wi for some i G 

{1, . . . , gs}. 

We show that either forger can be used to forge signatures for the weak signature 
scheme of Lemma 1. However, the reduction works differently for each forger 
type. Therefore, initially B will choose a random bit Cmode G {1)2} that indicates 
its guess for the type of forger that A will emulate. The simulation proceeds 
differently for each mode. 

We are now ready to describe Algorithm B. It produces a forgery for the 
signature scheme of Lemma 1 as follows: 

Setup: Algorithm B first picks a random bit Cmode G {1,2}. Next, B sends 
to its own challenger a list of qg random messages , . . . , Wq^ G Z* for 
which it requests a signature. The challenger responds with a public key 
(51 , 52 , u) and signatures cti , . . . , G Gi on these messages. We know that 
e{ai,g2*u) = 6(51,32) for alH = 1, . . .,qs- Then: 

• (If Cmode = 1) ■ B picks a random 5 G Z* and gives A the public key 

PKi = (51, 52 , u, 52)- 

• (If Cmode = 2) . B picks a random a: G Z* and gives A the public key 
PK2 = (51, 52, 52 )W). 

In either case, we note that B provides the adversary A with a valid public 
key (5 i,52,C/,H). 

Signature queries: The forger A can issue up to qg signature queries in an 
adaptive fashion. In order to respond, B maintains a list iL-list of tuples 
{rrii, Vi, Wi) and a query counter £ which is initially set to 0. Upon receiving 
a signature query for m. Algorithm B increments £ by one. Then: 

• (If Cmode = !)• Check if 5^™ = u. If so, then B just obtained the private 
key for the public key (51,52,^) it was given, which allows it to forge the 
signature on any message of its choice. At this point B successfully terminates 
the simulation. 

Otherwise, set = {wi — m)ly G Z*. In the very unlikely event that ri = 0, 
Algorithm B reports failure and aborts. Otherwise, Algorithm B gives A 
the signature This is a valid signature on m under PK\ since ri is 

uniform in Z* and 

e(CT^ U =e{ai, u-gJ^-glf‘) = e{an,u ■ g^^) =6(51,52) 

• (If Cmode = 2). Set Ti = {x + m)/wi G Z*. If n = 0, Algorithm B reports 
failure and aborts. Otherwise, give A the signature ,Ti). This is a valid 
signature on m under PK2 since is uniform in Z* and 

e(cr)/’'^ U -g^ ■ V^‘) = e(cr)/’'", 5f • 5™ • = e(ae, g^^u) = 6(51,52) 
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In either case if B does not stop it responds with a valid signature on m. 

In either case Algorithm B adds the tuple {m,re, to the iJ-list. 

Output: Eventually, A returns a forgery where (cr*,r*) is a valid 

forgery distinct from any previously given signature on message m*. Note 
that by adding dummy queries as necessary, we may assume that A made 
exactly qs signature queries. Let W* ^ E’’* . Algorithm B searches the 

iL-list for a tuple whose rightmost component is equal to IE*. There are two 
possibilities: 

Type-1 forgery: No tuple of the form (•, •, IE*) appears on the iL-list. 
Type-2 forgery: The iL-list contains at least one tuple {mj,rj,Wj) such 
that Wj = IE*. 

Let 6type ^ 1 if El produced a type-1 forgery, or A made a signature query 
for a message m such that = U. In all other cases, set 6type ^ 2. If 
^type Cniode then B reports failure and aborts. Otherwise, B outputs an 
existential forgery on the basic signature scheme as follows: 

• (If Cniode = ^type = 1). If El made a signature query for a message m such 
that = U then B is already done. Therefore, we assume El produced a 
type-1 forgery. Since the forgery is valid, we have 

e( 5 i, 52 ) = e(cr*, 17 • g™* • E''*) = e(cr*, u-g™*+*'’'*) 

Let w* = m* -l-gr*. It follows that (w*, cr*) is a valid message/signature pair 
in the basic signature scheme. Furthermore, it is a valid existential forgery 
for the basic scheme since in a type-1 forgery Algorithm B did not request 
a signature on the message w* G Z*. Indeed, B only requested signatures on 
messages wj = rrij +yrj where {rrij,rj,g 2 ^) is a tuple in the 77- list, but g™* 
is not equal to any g 2 ^ on the 77-list. Algorithm B outputs (w*,cr*) as the 
required existential forgery. 

• (If Cniode = ^type = 2). Let {mj,rj,Wj) be a tuple on the 77-list where 

Wj = IE*. Since V = u we know that g^^A^ = g^'w’’*. Write u = g^ for 
some z G Z* so that rrij + zrj = mt + zr:^. We know that {rrij,rj) yf (m*, r*), 
otherwise the forgery would be identical to a previously given signature on 
the query message rrij . Since g 2 ^ = g™* A* it follows that nij yf rrit and 

rj yf r*. Therefore, z = (m* — mj)j{rj — r*) G Z*. Hence, B just recovered 
the private key for the public key (gi,g 2 ,u) it was given. Algorithm B can 
now forge a signature on any message of its choice. 

This completes the description of Algorithm B. 

A standard argument shows that if B does not abort, then, from the view- 
point of El, the simulation provided by B is indistinguishable from a real attack 
scenario. In particular, (i) the view from El is independent of the value of c„iode, 
(ii) the public keys are uniformly distributed, and (iii) the signatures are correct. 
Therefore, El produces a valid forgery in time t with probability at least e. 

It remains to bound the probability that B does not abort. We argue as 
follows: 
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— Conditionally on the event Cmode = hype = 1, Algorithm B aborts if A issued 
a signature query rrii = wi. This happens with probability at most qsjv- 

— Conditionally on the event Cmode = hype = 2, Algorithm B does not abort. 

Since Cmode is independent of hype we have that Pr[cmode = ^type] = 1/2. It now 
follows that B produces a valid forgery with probability at least e/2 — g^/p, as 
required. □ 

Since in the full scheme a single message has many valid signatures, it is 
worth repeating that the full signature scheme is existentially unforgeable in the 
strong sense: the adversary cannot make any forgery, even on messages which 
are already signed. 

3.3 Relation to Chameleon Hash Signatures 

It is instructive to consider the relation between the full signature scheme above 
and a signature construction based on the Strong RSA assumption due to Gen- 
naro, Halevi, and Rabin (GHR) [GHR99]. GHR signatures are pairs (r, 
where H is a Chameleon hash [KROO], r is random in some range, and arithmetic 
is done modulo an RSA modulus N. Looking closely, one can see some paral- 
lels between the proof of security in Lemma 2 above and the proof of security 
in [GHR99]. There are three interesting points to make: 

— The m + yr component in our signature scheme provides us with the func- 
tionality of a Chameleon hash: given m, we can choose r so that m + yr 
maps to some predefined value of our choice. This makes it possible to han- 
dle the chosen message attack. Embedding the hash m + yr directly in the 
signature scheme results in a much more efficient construction than using an 
explicit Chameleon hash (which requires additional exponentiations). This 
is not known to be possible with Strong RSA signatures. 

— One difficulty with GHR signatures is that given a solution (6, to the 
Strong RSA problem one can deduce another solution, e.g. (3, Thus, 
given a GHR signature on one message it possible to deduce a GHR signature 
on another message (see [GHR99, CNOO] for details). Gennaro et al. solve this 
problem by ensuring that H{m,r) always maps to a prime; However, that 
makes it difficult to compute the hash (a different solution is given in [CSOO]). 
This issue does not come up at all in our signature scheme above. 

~ We obtain short signatures since, unlike Strong RSA, the g-SDH assumption 
applies to groups with a short representation. 

Thus, we see that Strong Diffie-Hellman leads to signatures that are simpler, 
more efficient, and shorter than their Strong RSA counterparts. 

3.4 Limited Message Recovery 

We now describe another useful property of the signature schemes whereby the 
total size of signed messages can be further reduced at the cost of increasing the 
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verification time. The technique applies equally well to the fully secure signature 
scheme as to the weakly secure one. 

A standard technique for shortening the total length of message/signature 
pairs is to encode a part of the message in the signature [MVV97]. Signatures 
based on trapdoor permutations support very efficient message recovery. 

At the other end of the spectrum, a trivial signature compression mechanism 
that applies to any signature scheme is as follows: Rather than transmit a mes- 
sage/signature pair (M, a), the sender transmits (M, a) where M is the same as 
M except that the last t bits are truncated. In other words, M is t bits shorter 
than M . To verify (M, a) the verifier tries all 2* possible values for the truncated 
bits and accepts the signature if one of them verifies. To reconstruct the original 
signed message M, the verifier appends to M the t bits for which the signature 
verified. 

This trivial method shows that the pair (M, a) can be shortened by t-bits 
at the cost of increasing verification time by a factor of 2‘. For our signature 
scheme we obtain a better tradeoff: the pair (M, cr) can be shortened by t bits 
at the cost of increasing verification time by a factor of 2*/^ only. We refer to 
this property as limited message recovery. 



Limited Message Recovery. Limited message recovery applies to both the full 
signature scheme and the weakly secure signature scheme of Lemma 1. For sim- 
plicity, we only show how limited message recovery applies to the full signature 
scheme. Assume messages are fc-bit strings represented as integers in Z*. Let 
{gi,g 2 , u, v) be a public key in the full scheme. Suppose we are given the signed 
message {m,a,r) where to is a truncation of the last t bits of m € Z*. Thus 
TO = TO • 2‘ -I- (5 for some integer 0 < i5 < 2*. Our goal is to verify the signed 
message (m,a,r) and to reconstruct the missing bits 5 in time 2*/^. To do so, 
we first rewrite the verification equation e(cr, u ■ o'" ■ g™) = e{gi,g 2 ) as 



e(a,52)™ 



e(gi,g2) 

e(cr, u ■ n’’) 



Substituting m = in ■ 2* + S we obtain 



e(CT, g2)^ 



e(gi,g2) 

e((j, u- ■ g™^*) 



(2) 



Now, we say that (to, a, r) is valid if there exists an integer 5 G [0, 2‘) satisfying 
equation (2). Finding such a 6 takes time approximately 2*/^ using Pollard’s 
Lambda method [MVV97, p.l28] for computing discrete logarithms. Thus, we 
can verify the signature and recover the t missing message bits in time 2*/^, as 
required. 



Ultra Short Weakly Secure Signatures. Obvious applications of limited message 
recovery are situations where bandwidth is extremely limited, such as when the 
signature is an authenticator that is to be typed-in by a human. The messages in 
such applications are typically chosen and signed by a central authority, so that 
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adaptive chosen message attacks are typically not a concern. It is safe in those 
cases to use the weakly secure signature scheme of Lemma 1, and apply limited 
message recovery to further shrink the already compact signatures it produces. 
Specifically, using t-bit truncation as above we obtain a total signature overhead 
of (160 — t) bits for common security parameters, at the cost of requiring 2*/^ 
pairing computations for signature verification. We emphasize that the security 
of this system does not rely on random oracles. 

3.5 Arbitrary Message Signing 

We can extend our signature schemes to sign arbitrary messages in {0, 1}*, as 
opposed to merely messages in Z*, by first hashing the message using a collision- 
resistant hash function H : {0, 1}* ^ Z* prior to both signing and verifying. A 
standard argument shows that if the scheme above is secure against existential 
forgery under a chosen message attack (in the strong sense) then so is the scheme 
with the hash. The result is a signature scheme for arbitrary messages in {0, 1}*. 
We note that there is no need for a full domain hash into Z*; a collision resistant 
hash function H : {0,1}* ^ |1,...,2*'} for 2^ < p is sufficient for the secu- 
rity proof. This transformation applies to both the fully and the weakly secure 
signature schemes described above. 

4 Shorter Signatures with Random Oracles 

For completeness we show that the weakly secure signature scheme of Lemma 1 
gives rise to very efficient and fully secure short signatures in the random or- 
acle model. To do so, we show a general transformation from any existentially 
unforgeable signature scheme under a weak chosen message attack into an exis- 
tentially unforgeable signature scheme under a standard chosen message attack 
(in the strong sense), in the random oracle model. This gives a very efficient short 
signature scheme based on g-SDH in the random oracle model. We analyze our 
construction using a method of Katz and Wang [KW03] which gives a very tight 
reduction to the security of the underlying signature. We note that a closely 
related system with a weaker security analysis was independently discovered by 
Zhang et al. [ZSNS04]. 

Let {KeyGen, Sign, Verify) be an existentially unforgeable signature under 
a weak chosen message attack. We assume that the scheme signs messages in 
some finite set E and that the private keys are in some set 77. We need two hash 
functions Hi : U x {0, 1}* ^ {0, 1} and H 2 : {0, 1} x {0, 1}* ^ E that will be 
viewed as random oracles in the security analysis. The hash-signature scheme is 
as follows: 

Key generation: Same as KeyGen. The public key is PK; The secret key is 
SK€ 77. 

Signing: Given a secret key SK, and given a message M G {0,1}*, compute 
b ^ Hi{SK,M) G {0,1} and m ^ 772(6,717) G E. Output the signature 
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(6, Sign{m)). Note that signatures are one bit longer than in the underlying 
signature scheme. 

Verification: Given a public key PK, a message M G {0, 1}*, and a signature 
(5, cr), output valid if Verify{PK, H 2 {b, M), a) = valid. 

Theorem 2 below proves security of the scheme. Note that the security re- 
duction in Theorem 2 is tight, namely, an attacker on the hash-signature scheme 
with success probability e is converted to an attacker on the underlying signa- 
ture with success probability approximately e/2. Proofs of signature schemes in 
the random oracle model are often far less tight. The proof is given in the full 
version of the paper [BB04b]. 

Theorem 2. Suppose {KeyGen, Sign, Verify) is {t' ,q'g,e' )- existentially unforge- 
able under a weak chosen message attack. Then the corresponding hash- signature 
scheme is {t,qs,qH,^)~secure against existential forgery under an adaptive cho- 
sen message attack, in the random oracle model, whenever qs-kqn < q'sj and for 
all all t and e satisfying 

t <t' — o{t') and e > 2e'/ (1 — -j^) « 2e' 

Applying Theorem 2 to the weakly secure scheme of Lemma 1 gives an effi- 
cient short signature existentially unforgeable under a standard chosen message 
attack in the random oracle model assuming {q^ -\- qn + 1)-SDH. For a public 
key (51, g 2 , v = 5f) ^ hash function H : {0,1}* ^ Z* a signature on a 

message m is defined as the value a ^ g concatenated with 

the bit b G {0, 1}. To verify the signature, check that e(cr, v-g^^^’"^'^) = e{gi,g 2 ). 
We see that signature length is essentially the same as in BLS signatures, but 
verification time is approximately half that of BLS. During verification, expo- 
nentiation is always base g 2 which enables a further speed-up by pre-computing 
certain powers of 32- 

Full Domain Flash. Another method for converting a signature scheme secure 
under a weak chosen message attack into a scheme secure under a standard 
chosen message attack is to simply apply Sign and Verify to H{M) rather than 
M. In other words, we hash M G {0, 1}* using a full domain hash H prior 
to signing and verifying. Security in the random oracle model is shown using a 
similar argument to Coron’s analysis of the Full Domain Hash [CorOO]. However, 
the resulting reduction is not tight: an attacker on this hash-then-sign signature 
with success probability e yields an attacker on the underlying signature with 
success probability approximately e/qs. We note, however, that these proofs are 
set in the random oracle model and therefore it is not clear whether the efficiency 
of the security reduction is relevant to actual security in the real world. Therefore, 
since this full domain hash signature scheme is slightly simpler that the system in 
Theorem 2 it might be preferable to use it rather than the system of Theorem 2. 
When we apply the full domain hash to the weakly secure scheme of Lemma 1, 
we obtain a secure signature under a standard chosen message attack assuming 
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(9s + <Zh + 1 )-SDH. a signature is one element, namely cr ^ As 

before, signature verification is twice as fast as in BLS signatures. As mentioned 
above, a similar scheme was independently proposed by Zhang et al. [ZSNS 04 ]. 
We also note that, in the random oracle model, security of this full domain hash 
scheme can be proven under a slightly weaker complexity assumption than q- 
SDH, namely that the value c in the q-SDH assumption is pre-specified rather 
than chosen by the adversary. However, the resulting security reduction is far 
less efficient. 

5 Generic Security of the g-SDH Assumption 

To provide more confidence in the g-SDH assumption we prove a lower bound 
on the computational complexity of the g-SDH problem for generic groups in 
the sense of Shoup [Sho 97 ]. 

In the generic group model, elements of Gi, G2, and Gt appear to be encoded 
as unique random strings, so that no property other than equality can be directly 
tested by the adversary. Five oracles are assumed to perform operations between 
group elements, such as computing the group action in each of the three groups 
Gi, G2, Gt, as well as the isomorphism ij} : G2 ^ Gi, and the bilinear pairing 
e : Gi X G2 ^ Gt. The opaque encoding of the elements of Gi is modeled as an 
injective function : Zp ^ Si, where Si C { 0 , 1 }*, which maps all a G Zp to 
the string representation ^1(5“) of g°“ G Gi. We similarly define ^2 ■’^p ^ ^2 for 
G2 and ■ '^p ^ “T for Gt. The attacker A communicates with the oracles 
using the ^-representations of the group elements only. 

Theorem 3. Let A be an algorithm that solves the q-SDH problem in the generic 
group model, making a total of at most qc queries to the oracles computing the 
group action in Gi,G2,Gt, the oracle computing the isomorphism ip, and the 
oracle computing the bilinear pairing e. If x € Z* and ^1, ^2, fr are chosen 
at random, then the probability e thatA{p,fi{l),^2(^)A2{x),...,f,2{x'^)) outputs 
(c,'Ci(y^)) with c G Z*, is bounded by 

^ ^ (gG + g + 2)^g = O f + 

~ P \ P 

Proof. Consider an algorithm B that plays the following game with A. 

B maintains three lists of pairs Li = : z = 0 , . . . , ti — 1 }, L2 = 

{{F2,iA2,i) ■ i = 0 , . . . ,T2 — 1 }, Lt = {{FT,i,^T,i) ■ z = 0 , . . . ,tt — 1 }, such 
that, at step r in the game, ri -I- T2 -I- tt = r -I- g -I- 2 . The Fi^i and are 
polynomials of degree < g in Zp[x], and the Fry are polynomials of degree < 2 g 
in Zp[x]. The ^2,1, are strings in { 0 , 1 }*. The lists are initialized at step 
T = 0 by taking ti = 1 , T2 = g -I- 1 , tt = 0 , and posing Fi_o = 1 , and F2,i = 
for z G { 0 , . . . , g}. The corresponding and ^2,z are set to arbitrary distinct 
strings in { 0 , 1 }*. 

We may assume that A only makes oracle queries on strings previously ob- 
tained form B, since B can make them arbitrarily hard to guess. We note that B 
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can determine the index i of any given string in Li (resp. ^2,1 in L2, or ^T,i 
in Lt), breaking ties between multiple matches arbitrarily. 

B starts the game by providing A with the q + 2 strings ^i,0)C2,0j • ■ • 
Queries go as follows. 

Group action: Given a multiply/divide selection bit and two operands 

with 0 < t, j < Ti, we compute Fi,ti ^ .Fiy ± Fij G Zp[x] depending 

on whether a multiplication or a division is requested. If = .Fi,/ for 

some I < Ti, we set ^ ^1,1] otherwise, we set to a string in {0, 1}* 
distinct from We add to Li and give to A, 

then increment ti by one. Group action queries in G2 and Gt are treated 
similarly. 

Isomorphism: Given a string ^2,1 with 0 < t < T2, we let <— ^2,1 G '^p[x]. 
If Fi^n = Fij for some I < ti, we set ^ ^1,1', otherwise, we set to 
a string in {0, 1}* \ {^yo, • ■ . ,Ci,n-i}- We add {Fi^nAi,ri) to Li, give Ci.n 
to A, and increment t\ by one. 

Pairing: Given two operands and ^2,j with 0 < z < ti and 0 < j < T2, 

we compute the product Ft^tt ^ Fi^iF2j G '^p[x]. If for 

some I < tt, we set ^t,tt ^ ^t,V, otherwise, we set ^t,tt to a string in 
{0, 1 }* \ {Ct.Oj • ■ • We add to Lt, give ^t,tt to A, 

and increment tt by one. 

A terminates and returns a pair (c, ^2,^) where 0 < f < T2. At this point B 
chooses a random x* G Zp. The simulation provided by B is perfect unless the 
choice of x creates an equality relation between the simulated group elements 
that was not revealed to A. Thus, the success probability of A is bounded by 
the probability that any of the following holds: 

1. Fiy(x*) — Fij{x*) = 0 for some z, j such that T’ly yf Fij, 

2. F2^i{x*) — F2 j{x*) = 0 for some z, j such that ^2,1 ^ F2J, 

3. FT,i{x*) — Ftj{x*) = 0 for some i,j such that yf Ftj, 

4. {x* + c) F2 j(x*) = 0. 

Since Fiy — Fij for fixed z and j is a polynomial of degree at most q, it vanishes 
at a random x* G Zp with probability at most q/p. Similarly, for fixed z and 
j, the second case occurs with probability < q/p, the third with probability 
< 2 q/p (since Fry — Fry has degree at most 2 q), and the fourth with probability 
< {q + l)/p- By summing over all valid pairs (z,j) in each case, we find that 
A wins the game with probability e < (^^)p + p + Since 

Ti + T2 + Tr < 9 g + <7 + 2, the required bound follows: e < {qc + q + 2 )'^ (q/p) = 

0{{qGf{q/p)+q^/p). □ 



Corollary 1. Any adversary that solves the q-SDH problem with constant prob- 
ability e > 0 in generic groups of order p such that q < o(^/p) requires Q{y^ep/q) 
generic group operations. 
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6 Conclusions 

We presented a number of short signature schemes based on the g-SDH assump- 
tion. Our main result is a short signature which is fully secure without using 
the random oracle model. The signature is as short as DSA signatures, but is 
provably secure in the standard model. We also showed that the scheme supports 
limited message recovery, for even greater compactness. 

These constructions are possible thanks to properties of the g-SDH assump- 
tion. The assumption can be viewed as a discrete logarithm analogue of the 
Strong RSA assumption. We believe the g-SDH assumption is a useful tool for 
constructing cryptographic systems and we expect to see many other schemes 
based on it. For example, we mention a new group signature scheme of Boneh 
et al. [BBS04]. 
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Abstract. An aggregate signature scheme (recently proposed by Boneh, 
Gentry, Lynn, and Shacham) is a method for combining n signatures 
from n different signers on n different messages into one signature of 
unit length. We propose sequential aggregate signatures, in which the set 
of signers is ordered. The aggregate signature is computed by having each 
signer, in turn, add his signature to it. We show how to realize this in such 
a way that the size of the aggregate signature is independent of n. This 
makes sequential aggregate signatures a natural primitive for certificate 
chains, whose length can be reduced by aggregating all signatures in 
a chain. We give a construction in the random oracle model based on 
families of certified trapdoor permutations, and show how to instantiate 
our scheme based on RSA. 



1 Introduction 

Authentication constitutes one of the core problems in cryptography. Much mod- 
ern research focuses on constructing authentication schemes that are: (1) as se- 
cure as possible, i.e., provably secure under the most general assumptions; and 
(2) as efficient as possible, i.e., communication- and computation-efficient. For 
cryptographic schemes to be adopted in practice, efficiency is crucial. Moreover, 
communication and storage efficiency - namely, the size of the authentication 
data, for example the size of a signature - plays an even greater role than compu- 
tation: While computational power of modern computers has experienced rapid 
growth over the last several decades, the growth in bandwidth of communication 
networks seems to have more constraints. 

As much as we wish to reduce the size of a stand-alone signature, its length 
is lower-bounded by the security parameter. The problem becomes more inter- 
esting, however, once we have n different signers with public keys PK \, . . . , PA„, 
and each of them wants to sign her own message, Mi, . . . , M„, respectively. Sup- 
pose that the public keys and the messages are known to the signature recipient 
ahead of time, or clear from context. We want, in some way, to combine the 
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authenticating information associated with this set of signers and messages into 
one short signature, whose length is independent of n. 

This problem actually arises in practice. For example, in a Public Key Infras- 
tructure (PKI) of depth n, a certificate on a user’s public key consists of a chain 
of certificates issued by a hierarchy of certification authorities (CAs): the CA at 
depth i certifies the C A at depth z -|- 1 . Which CAs were responsible for certifying 
a given user is usually clear from the context, and the public keys of these CAs 
may be available to the recipient off-line. The user’s certificate, however, needs 
to be included in all of his communications, and therefore it is highly desirable 
to make its length independent of the length of the certification chain. Even if 
the entire certificate chain must be transmitted, significant space savings can be 
realized. In a typical X.509 certificate, 15% of the length is due to the signature. 

Recently, Boneh et al. [5] introduced and realized aggregate signatures. An 
aggregate signature scheme is a signature scheme which, in addition to the usual 
setup, signing, and verification algorithms, admits an efficient algorithm for ag- 
gregating n signatures under n different public keys into one signature of unit 
length. Namely, suppose each of n users has a public-private key pair {PKi, SKi); 
each wishes to attest to a message Mi. Each user first signs her message Mi, ob- 
taining a signature (7^; the n signatures can then be combined by an unrelated 
party into an aggregate cr. An aggregate signature scheme also includes an extra 
verification algorithm that verifies such an aggregate signature. An aggregate 
signature provides non-repudiation simultaneously on message Mi for User 1, 
message M 2 for User 2, and so forth. Crucially, such repudiation holds for each 
user regardless of whether other users are malicious. Boneh et al. construct an 
aggregate signature scheme in the random oracle model under the bilinear Diffie- 
Hellman assumption (see, for example, Boneh and Franklin [4] and references 
therein). 

For applications such as certificate chains, the ability to combine preexisting 
individual signatures into an aggregate is unnecessary. Each user, when pro- 
ducing a signature, is aware of the signatures above his in the chain. Thus 
aggregation for certificate chains should be performed incrementally and se- 
quentially, so that User i, given an aggregate on messages Mi, . . . ,Mi_i under 
keys PKi, . . . , P7C_i, outputs an aggregate on messages Mi, . . . , Mi_i, M^ un- 
der keys PKi, . . . , PKi-i, PKi. We call such a procedure sequential aggregation, 
and a signature scheme supporting it, a sequential aggregate signature scheme. 

In this paper, we begin by giving a formal definition of sequential aggre- 
gate signatures. We then show how to realize such signatures from a family of 
certified® trapdoor permutations (TDPs) over the same domain, as long as the 
domain is a group under some operation. We prove security (with exact security 
analysis) of our construction in the random oracle model; we give tighter secu- 
rity guarantees for the special cases of homomorphic and claw-free TDPs. As 
compared to the scheme of Boneh et al. [5] , our scheme place more restrictions 



® A TDP is certified [2] if one can verify from the public key that it is actually a 
permutation. 
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on the signers because of the sequentiality requirement, but relies on a more 
accepted, more general assumption. 

Finally, we show how to instantiate our construction with the RSA trapdoor 
permutation. This instantiation turns out to be more difficult than may be ex- 
pected, because of the possibility of maliciously generated RSA keys: We need to 
provide security for User i regardless of whether other users are honest. There are 
essentially four problems. The first is that our scheme assumes multiple trapdoor 
permutations over the same domain, which RSA does not provide. The second 
is that RSA is not a certified trapdoor permutation: for a maliciously generated 
public-key, it can indeed be very far from a permutation. The third is that the 
domain of RSA is not the convenient Zjv, but rather Z^, which can be much 
smaller for maliciously generated N. Finally, the natural group operation on Z^ 
(multiplication) is not a group operation on Zjy. We overcome these problems 
with techniques that may be of independent interest. In particular, we turn RSA 
into a certified trapdoor permutation over all of Z^r. 

Other Related Work. Aggregate signatures are related to multisignatures [14, 
16, 15, 3]. In particular, our aggregate signature scheme has similarities with the 
multisignature scheme of Okamoto [16] (though the latter has no security proof 
and, indeed, is missing important details that would make the security proof pos- 
sible, as shown by Micali et al. [13]). Also of interest are threshold signatures, 
in particular the non-interactive threshold signature scheme due to Shoup [18], 
where we have a set of n signers, and a threshold t, such that signature shares 
from any t < k < n signers can be combined into one signature. They are dif- 
ferent from aggregate signatures in several crucial aspects: threshold signatures 
require an expensive (or trusted) setup procedure; pieces of a threshold signa- 
ture do not constitute a stand-alone signature; pieces of a threshold signature 
can only be combined into one once there are enough of them; and a threshold 
signature looks the same no matter which of the signers contributed pieces to it. 

2 Preliminaries 

We recall the definitions of trapdoor permutations and ordinary digital signa- 
tures, and the full-domain hash signatures based on trapdoor permutations. 
We also define certified trapdoor permutations, which are needed for building 
sequential aggregate signatures. In addition, we define claw-free permutations, 
and homomorphic trapdoor permutations, whose properties are used to achieve 
a better security reduction. 



2.1 Trapdoor One-Way Permutations 

Let D he a, group over some operation 0. For simplicity, we assume that choosing 
an element of D at random, computing ©, and inverting 0 each take unit time. 

A trapdoor permutation family U over D is defined as a triple of algorithms: 
Generate, Evaluate, and Invert. The randomized generation algorithm Generate 




Sequential Aggregate Signatures from Trapdoor Permutations 



77 



outputs the description s of a permutation along with the corresponding trap- 
door t. The evaluation algorithm Evaluate, given the permutation description s 
and a value x G D, outputs a G D, the image of x under the permutation. The 
inversion algorithm Invert, given the permutation description s, the trapdoor t, 
and a value a G D, outputs the preimage of a under the permutation. 

We require that Evaluate{s, •) be a permutation of D for all (s, t) ^ Generate, 
and that Invert{s,t, Evaluate{s,x)) = x hold for all {s,t) ^ Generate and for 
all a; € D. The algorithms Generate, Evaluate, and Invert are assumed to take 
unit time for simplicity. 



Definition 1. The advantage of an algorithm A in inverting a trapdoor permu- 
tation family is 



Adv Invert^ Pr 



X = Al(s, Evaluate{s, a;)) : (s, t) ^ Generate, x ^ D 



The probability is taken over the coin tosses of Generate and of A. An algo- 
rithm A ft, e) -inverts a trapdoor permutation family if A runs in time at most t 
and Adv Invert _4 is at least e. A trapdoor permutation family is ft,e)-one-way if 
no algorithm {t,e)-inverts the trapdoor permutation family. 

Note that this definition of a trapdoor permutation family requires that there 
exist multiple trapdoor permutations over the same domain D. We avoid the use 
of an infinite sequence of domains D, one for each security parameter, by simply 
fixing the security parameter and considering concrete security. 

When it engenders no ambiguity, we consider the output of the generation 
algorithm Generate as a probability distribution 77 on permutations, and write 
(7r,7T“^) II; here tt is the permutation Evaluate{s, ■), and is the inverse 
permutation Invert{s,t, •). 



2.2 Certified Trapdoor Permutations 

The trapdoor permutation families used in sequential aggregation must be certi- 
fied trapdoor permutation families [2]. A certified trapdoor permutation family 
is one such that, for any string s, it is easy to determine whether s can have 
been output by Generate, and thereby ensure that Evaluate{s, •) is a permuta- 
tion. This is important when permutation descriptions s can be generated by 
malicious parties. 

Applying the definitions above to the RSA permutation family requires some 
care. RSA gives permutations over domains Z^, where each user has a distinct 
modulus N. Moreover, given just a public key (N,e), certifying that the key 
describes a permutation is difficult. We consider this further in Sect. 5. 



2.3 Claw-Pree Permutations, Homomorphic Trapdoor Permutations 

We now describe two variants of trapdoor permutations: claw-free permutations 
and homomorphic trapdoor permutations. The features these variants provide 
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are not needed in the description of the sequential aggregate signature scheme, 
but allow a more efficient security reduction in Theorem 4. 

A claw- free permutation family U [11] is a trapdoor permutation family with 
an additional permutation g : D ^ D, evaluated by algorithm EvaluateG{s, ■). 
More generally, g can map any domain E onto D as long as the uniform dis- 
tribution on E induces the uniform distribution on g{E). We assume that al- 
gorithm EvaluateG runs in unit time, and choosing an element of E at random 
also takes unit time, just as above. 



Definition 2. The advantage of an algorithm A in finding a claw in a claw-free 
permutation family is 



Adv Claw_4 = Pr 



Evaluate{s, x) = EvaluateG{s,y) : 

(s,t) Generate, (x,y) A(s) 



The probability is taken over the coin tosses of Generate and of A. An algo- 
rithm A {t, e) -breaks a claw-free permutation family if A runs in time at most t 
and AdvClaw _4 is at least e. A permutation family is (t,e)- claw- free if no algo- 
rithm ft, e) -breaks the claw-free permutation family. 

When it engenders no ambiguity, we abbreviate EvaluateG{s, •) as gf), and 
write (tt, ,g) 77. In this compact notation, a claw is a pair fx, y) such that 

tt { x ) = g{y). 

One obtains from every claw-free permutation family a trapdoor permutation 
family, simply by ignoring EvaluateG [11] . The proof is straightforward. Suppose 
there exists an algorithm A that inverts tt with nonnegligible probability. One 
selects y E, and provides A with z = gfy), which is uniformly distributed in D. 
If A outputs X such that x = 7t”^(z), then it has uncovered a claw t:{x) = gfy). 

A trapdoor permutation family is homomorphic if 77 is a group with some 
operation * and if, for all (s, f) generated by Generate, the permutation tt : 
D ^ D induced by Evaluate{s, •) is an automorphism on D with *. That is, if 
a = 7 t ( x ) and 6 = 7r(y), then a*b = 7T{x*y). The group action * is assumed to be 
computable in unit time. The operation * can be different from the operation © 
given above; we do not require any particular relationship (e.g., distributivity) 
between © and *. 

One obtains from every homomorphic trapdoor permutation family a claw- 
free permutation family [10]. Pick some z ^ 1 G D, and define g{x) = z * tt { x ). In 
this case, E = D. Then a claw tt { x ) = gfy) = z* irfy) reveals tt ~^( z ) = x * (l/y) 
(where the inverse is with respect to *). 



2.4 Digital Signatures 

We review the well-known definition of security for ordinary digital signatures. 

Existential unforgeability under a chosen message attack [11] in the random 
oracle model [1] for a signature scheme {KeyGen, Sign, and Verify) with a ran- 
dom oracle H is defined using the following game between a challenger and an 
adversary A\ 
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Setup. The challenger runs algorithm KeyGen to obtain a public key PK 
and private key SK. The adversary A is given PK. 

Queries. Proceeding adaptively, A requests signatures with PK on at most 
Qs messages of his choice Mi, . . . , Mq^ G {0,1}*. The challenger responds 
to each query with a signature = Sign{SK,Mi). Algorithm A also 
adaptively asks for at most Qh queries of the random oracle H . 

Output. Eventually, A outputs a pair {M,a) and wins the game if (1) M 
is not any of Mi, . . . , Mq^, and (2) Verify{PK, M, a) = valid. 

We define AdvSig _4 to be the probability that A wins in the above game, taken 
over the coin tosses of KeyGen and of A. 

Definition 3. A forger A {t,qH,qs, A) -breaks a signature scheme if A runs in 
time at most t; A makes at most qs signature queries and at most qa queries to 
the random oracle; and Adv Sig _4 is at least e. A signature scheme is ft, qn, qs, e)- 
existentially unforgeable under an adaptive chosen-message attack if no forger 
ft, qH,qs,^) -breaks it. 

2.5 Full-Domain Signatures 

We review the full-domain hash signature scheme. The scheme, introduced by 
Bellare and Rogaway [1], works in any trapdoor one-way permutation family. The 
more efficient security reduction given by Coron [8] additionally requires that 
the permutation family be homomorphic. Dodis and Reyzin show that Coron’s 
analysis can be applied for any claw-free permutation family [10]. The scheme 
makes use of a hash function H : (0, 1}* ^ D, which is modeled as a random 
oracle. The signature scheme comprises three algorithms: KeyGen, Sign, and 
Verify. 

R. 

Key Generation. For a particular user, pick random (s, t) <— Generate. The 
user’s public key PK is s. The user’s private key SK is {s,f). 

Signing. For a particular user, given the private key (s, t) and a message M G 
{0,1}*, compute h ^ P[{M), where h G D, and a ^ Invert{s,t,h). The 
signature is a G D. 

Verification. Given a user’s public key s, a message M, and a signature cr, 
compute h ^ P[{M); accept if /i = Evaluate{s, a) holds. 

The following theorem, due to Coron, shows the security of full-domain sig- 
natures under the adaptive chosen message attack in the random oracle model. 
The terms given in the exact analysis of e and t have been adapted to agree with 
the accounting employed by Boneh et al. [6]. 

Theorem 1. Let II be a ft' , e')- one-way homomorphic trapdoor permutation 
family. Then the full- domain hash signature scheme on II is ft,qH,qs,e)-secure 
against existential forgery under an adaptive chosen-message attack ( in the ran- 
dom oracle model) for all t and e satisfying 

e > e(gs -I- 1) • e' and t < t' — 2{qu -\- 2qg) . 

Here e is the base of the natural logarithm. 
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3 Sequential Aggregate Signatures 

We introduce sequential aggregate signatures and present a security model for 
them. 

3.1 Aggregate and Sequential Aggregate Signatures 

Boneh et al. [5] present a new signature primitive, aggregate signatures. Aggre- 
gate signatures are a generalization of multisignatures [14, 16, 15, 3] wherein 
signatures by several users on several distinct messages may be combined into 
an aggregate whose length is the same as that of a single signature. Using an 
aggregate signature in place of several individual signatures in a protocol yields 
useful space savings. In an aggregate signature, signatures are first individually 
generated and then combined into an aggregate. 

Sequential aggregate signatures are different. Each would-be signer trans- 
forms a sequential aggregate into another that includes a signature on a message 
of his choice. Signing and aggregation are a single operation; sequential aggre- 
gates are built in layers, like an onion; the first signature in the aggregate is 
the inmost. As with non-sequential aggregate signatures, the resulting sequen- 
tial aggregate is the same length as an ordinary signature. This behavior closely 
mirrors the sequential nature of certificate chains in a PKI. 

Let us restate the intuition given above more formally. Key generation is a 
randomized algorithm that outputs a public-private keypair (PK,SK). 

Aggregation and signing is a combined operation. The operation takes as 
input a private key SK, a message Mi to sign, and a sequential aggregate cr' 
on messages Mi, . . . , Mi-i under respective public keys PKi, . . . , where 

Ml is the inmost message. All of Mi,...,Mi_i and PK\, . . . ,PKi-i must be 
provided as inputs. If i is 1, the aggregate cr is taken to be empty. It adds a 
signature on Mi under SK to the aggregate, outputting a sequential aggregate cr 
on all i messages Mi , . . . ,Mi. 

The aggregate verification algorithm is given a sequential aggregate signa- 
ture cr, messages Mi , . . . ,Mi, and public keys PKi, . . . , PKi, and verifies that cr 
is a valid sequential aggregate (with Mi inmost) on the given messages under 
the given keys. 

3.2 Sequential Aggregate Signature Security 

The security of sequential aggregate signature schemes is defined as the non- 
existence of an adversary capable, within the confines of a certain game, of 
existentially forging a sequential aggregate signature. Existential forgery here 
means that the adversary attempts to forge a sequential aggregate signature, on 
messages of his choice, by some set of users not all of whose private keys are 
known to the forger. 

We formalize this intuition as the sequential aggregate chosen-key security 
model. In this model, the adversary A is given a single public key. His goal is 
the existential forgery of a sequential aggregate signature. We give the adversary 
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power to choose all public keys except the challenge public key. The adversary 
is also given access to a sequential aggregate signing oracle on the challenge key. 
His advantage, AdvAggSig_ 4 , is defined to be his probability of success in the 
following game. 

Setup. The aggregate forger A is provided with a public key PK, generated 
at random. 

Queries. Proceeding adaptively, A requests sequential aggregate signatures 
with PK on messages of his choice. For each query, he supplies a sequen- 
tial aggregate signature cr on some messages Mi, . . . , Mi_i under distinct 
keys PKi, . . . , PKi-i, and an additional message Mi to be signed by the 
oracle under key PK (where i is at most n, a game parameter). 
Response. Finally, A outputs i distinct public keys PKi , . . . , PKi. Here i is 
at most n, and need not equal the lengths (also denoted i) of Al’s requests 
in the query phase above. One of these keys must equal PK, the challenge 
key. Algorithm A also outputs messages Mi, . . . ,Mi, and a sequential 
aggregate signature cr by the i users, each on his corresponding message, 
with PK\ inmost. 

The forger wins if the sequential aggregate signature cr is a valid sequential 
aggregate signature on messages Mi, . . . ,Mi under keys PK \, . . . , PKi, and 
cr is nontrivial, i.e., A did not request a sequential aggregate signature on 
messages Mi, . . . , Mi* under keys PK\, . . . , PKi* , where i* is the index of the 
challenge key PK in the forgery. Note that i* need not equal v. the forgery 
can be made in the middle of cr. The probability is over the coin tosses of 
the key-generation algorithm and of A. 



Definition 4. A sequential aggregate forger A ft, qH,qs,n,e) -breaks an n-user 
aggregate signature scheme in the sequential aggregate chosen-key model if: A 
runs in time at most t; A makes at most qn queries to the hash function and 
at most qs queries to the aggregate signing oracle; AdvAggSig_n is at least e; 
and the forged sequential aggregate signature is by at most n users. A sequential 
aggregate signature scheme is ft, qH,qs,n,e) -secure against existential forgery in 
the sequential aggregate chosen-key model if no forger ft,qH,qs,n,e)-breaks it. 



4 Sequential Aggregates from Trapdoor Permutations 

We describe a sequential aggregate signature scheme arising from any family of 
trapdoor permutations, and prove the security of the scheme. 

We first introduce some notation for vectors. We write a vector as x, its length 
as |£c|, and its elements as Xi, X 2 , . . . , aj|a,|. We denote concatenating vectors 
as x\\y and appending an element to a vector as x\\z. For a vector x, xff is the 
sub-vector containing elements Xa,Xa+i, . ■ . ,xi,. It is necessarily the case that 
1 < a < b < \x\. 
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4.1 The Scheme 

We now describe three algorithms, KeyGen, AggregateSign, and AggregateVerify, 
for our sequential aggregate signature scheme. The scheme employs a full-domain 
hash function H : {0, 1}* ^ D, viewed as a random oracle, and resembles full- 
domain hash described in Sect. 2.5. The trick to aggregation is to incorporate 
the sequential aggregate signature of previous users by multiplying it (via the 
group operation ©) together with the hash of the message. Actually, the hash 
now needs to include not only the signer’s message, but also her public key and 
the prior messages and keys.® 

R. 

Key Generation. For a particular user, pick random (s,t) ^ Generate. The 
user’s public key PK is s. The user’s private key SK is (s,t). 

Aggregate Signing. The input is a private key (s,t), a message M G {0, 1}* 
to be signed, and a sequential aggregate a' on messages M under public 
keys s. Verify that a' is a valid signature on M under s using the verification 
algorithm below; if not, output *, indicating error. Otherwise, compute h <— 
H{s\\s, M\\M), where h G D, and a ^ Invert{s,t,h Q a'). The sequential 
aggregate signature is a G D. 

Aggregate Verification. The input is a sequential aggregate a on messages M 
under public keys s. If any key appears twice in s, if any element of s does 
not describe a valid permutation, or if \M\ and |s| differ, reject. Otherwise, 
let i equal \M\ = |s|. Set ai ^ a. Then, for j = t, . . . , 1, set aj-i ^ 
Evaluate{sj,(jj) © Accept if ao equals 1, the unit of D with 

respect to ©. 

Written using 7r-notation, a sequential aggregate signature is of the form 

© 7T(iy- • • TT2\h2 © 7rf • • •))) , 

where hj = i?( s|^ , Ai’|'(). Verification evaluates the permutations in the forward 
direction, peeling layers away until the center is reached. 

4.2 Security 

The following theorem demonstrates that our scheme is secure when instantiated 
on any certified trapdoor permutation family. 

Theorem 2. Let II he a certified {t' ,e') -trapdoor permutation family. Then our 
sequential aggregate signature scheme on U is {t,qH,qs^n,e) -secure against ex- 
istential forgery under an adaptive sequential aggregate chosen-message attack 
(in the random oracle model) for all t and e satisfying 

e > {qh + 9s + 1) • and t <t' — {Anqu -\- 4ngg -I- 7n — 1) . 

® This is done not merely because we do not know how to prove the scheme secnre 
otherwise. Micali et al. [14] pointed out that if the signature does not include the 
public key, then an adversary may attack the scheme by deciding on the pnblic key 
after the signature is issued. Our approach is the same as that of Boneh et al. [5, 
Sect. 3.2]. 
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Following Coron’s work [8], a better security reduction is obtained if the trap- 
door permutations are, additionally, homomorphic under some operation *. (The 
operation * need not be the same as the operation © used in the description of 
the signature scheme in Sect. 4.) 

Theorems. Let II he a certified homomorphic {t' ,e') -trapdoor permutation 
family. Then our sequential aggregate signature scheme on II is {t,qH,qs,n,e)~ 
secure against existential forgery under an adaptive sequential aggregate chosen- 
message attack (in the random oracle model) for all t and e satisfying 

e > e((7s -I- 1) • e' and t <t' — {{An -\- V)qH + (4n -|- l)gs -|- 7n -I- 3) . 

Here e is the base of the natural logarithm. 

Finally, following the work of Dodis and Reyzin [10], the homomorphic property 
is not really necessary, and can be replaced with the more general claw-free 
property: 

Theorem 4. Let H he a certified {t' ,e')- claw- free permutation family. Then the 
sequential aggregate signature scheme on H is {t,qH,qs,n,e) -secure against ex- 
istential forgery under an adaptive sequential aggregate chosen-message attack 
(in the random oracle model) for all t and e satisfying 

e > e(gs -I- 1) • e' and t <t' — {Anqn -\- Anqs A- In) . 

Here e is the base of the natural logarithm. 

The proofs of these theorems are very similar (in fact. Theorem 3 is just 
a corollary of Theorem 4, because, as we already saw, homomorphic trapdoor 
permutations are claw- free). We will prove all three at once. 

Proofs. Suppose there exists a forger A that breaks the security of our sequential 
aggregate signature scheme. We describe three algorithms that use A to break 
one of the three possible security assumptions (trapdoor one-wayness, homomor- 
phic one-wayness, and claw-freeness) . In fact, the algorithms are quite similar 
regardless of the assumption. Therefore, we present only one of them: B that 
uses A to find a claw in a (supposedly) claw-free permutation family H. We 
will point out later the changes needed to make the reduction to ordinary and 
homomorphic trapdoor permutations. 

Suppose Al is a forger algorithm that {t,qH,qs,n,e)-hreaks the sequential 
aggregate signature scheme. We construct an algorithm B that finds a claw 
in n. 

Crucial in our construction is the following fact about our signature scheme: 
once the function H is fixed on i input values («]■(, M\[), 1 < j < i, there exists 
only one valid aggregate signature on M using keys s. Thus, by answering hash 
queries properly, B can prepare for answering signature queries and for taking 
advantage of the eventual forgery. 

Algorithm B is given the description s of an element of H, and must find 
values X € D and y & E such that Evaluate{s, x) = EvaluateG{s, y). Algorithm B 
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supplies A with the public key s. It then runs A and answers its oracle queries 
as follows. 

Hash Queries. Algorithm B maintains a list, to which we refer as the i/-list, of 
tuples , The list is initially empty. When A queries 

the oracle H at a point (s, M), algorithm B responds as follows. 

First we consider the easy cases. 

— If some tuple {s,M,w,r,c) on the i7-list already contains the query 
(s, M), then algorithm B answers the query as H{s, M) = w G D. 

— If I Af I and |s| differ, if |s| exceeds n, if some key is repeated in s, or if any 
key in s does not describe a valid permutation, then (s, M) can never be 
part of a sequential aggregate signature. Algorithm B picks w ^ D, and 
sets r ^ -k and c ^ both placeholder values. It adds (s, M, w, r, c) to 
the i?-list and responds to the query as i?(s, M) = w G D. 

Now for the more complicated cases. Set z = |s| = \M\. If z is greater 
than 1, B runs the hashing algorithm on input ( ^ , M\\ ^), obtaining the 
corresponding entry on the i/-list, ^ , zc', r', c'^ If z equals 1, 

B sets r' <— 1. Algorithm B must now choose elements r,zc, and c to include, 
along with s and M, in a new entry on the i/-list. There are three cases to 
consider. 

R 

— If the challenge key s does not appear at any index of s, ,8 chooses r ^ D 
at random, sets c ^ a placeholder value, and computes 

w ^ Evaluate{si,r) Q (A) ^ . 

— If the challenge key s appears in s at index i* = i, Algorithm B generates 
a random coin c G {0, 1} such that Pr[c = 0] = l/{qs + 1). If c = 1, 8 
chooses r ^ D at random and sets 

w k- Evaluate{s, r) © (r') ^ . 

(In this case, w is uniform in D and independent of all other queries be- 
cause r has been chosen uniformly and independently at random from D, 
and Evaluate and combining with (r') ^ are both permutations.) If c = 0, 
B chooses r if at random and sets 

w ^ EvaluateG{s,r) Q (A) ^ . 

(In this case, w is uniform in D and independent of all other queries be- 
cause r has been chosen uniformly and independently at random from E, 
EvaluateG maps uniformly onto D, and combining with (A) ^ is a per- 
mutation.) 

— If the challenge key s appears in s at index i* < z, algorithm B picks 
R 

w ^ D at random, and sets r ^ * and k, both placeholder values. 
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Finally, B adds {s, M,w,r,c) to the i?-list, and responds to the query as 
H{s, M) = w. 

In all cases, B's response, w, is uniform in D and independent of Al’s current 
view, as required. 

Aggregate Signature Queries. Algorithm A requests a sequential aggregate 
signature, under key s, on messages M under keys s. 

If |s| and \M\ differ, if |s| exceeds n, if any key appears more than once in s, 
or if any key in s does not describe a valid permutation, (s, M) is not a valid 
aggregate, and B responds to A with *, indicating error. Let i = |s| = \M\. 
If Si differs from s, (s, M) is not a valid query to the aggregate signing 
oracle, and B again responds with *. 

Algorithm A also supplies a purported sequential aggregate signature a' on 
messages under keys If i equals 1, B verifies that a' equals 1. 

Otherwise, B uses Aggregate Verify to ensure that a' is the correct sequential 
aggregate signature on If a' is incorrect, B again responds 

with *. 

Otherwise, B runs the hash algorithm on (s, M), obtaining the correspond- 
ing entry on the iL-list, {s, M, w, r, c). Since Si equals s, c must be 0 or 1. If 
c = 0 holds, B reports failure and terminates. Otherwise, B responds to the 
query with a *— r. 

Output. Eventually algorithm A halts, outputting a message vector Af, a 
public- key vector s, and a corresponding sequential aggregate signature 
forgery cr. The forgery must be valid: No key may occur more than once 
in s, each key in s must describe a valid permutation, the two vectors s and 
M must have the same length i, which is at most n. The forgery must also be 
nontrivial: The challenge key s must occur in s, at some location i* , and A 
must not have asked for a sequential aggregate signature on messages M\\ 
under keys s|^ .If A fails to output a valid and nontrivial forgery, B reports 
failure and terminates. 

Algorithm B begins by checking the hashes included in a. For each j, 1 < 
j < i, B runs its hash algorithm on (s|^ , Af|'^), obtaining a series of tuples 

(^s\\ , r^^\ . Note that B always returns w as the answer to 

a hash query, so, for each j, H{s\\, M\\) = 

Algorithm B then examines \ Since s*-* ^ equals s, ^ must be 0 or 
1. If ^ = 1 holds, B reports failure and terminates. Then B applies the 
aggregate signature verification algorithm to a. It sets ^ a. For j = 
z, . . . , I, it sets ^ Evaluate{s^^\ . 

If (7^°^ does not equal 0, cr is not a valid aggregate signature, and B reports 
failure and terminates. Otherwise, a is valid and, moreover, each cr^^^ com- 
puted by B is the (unique) valid aggregate signature on messages M|-( under 
keys slj. 

Finally, B sets x ■<— and y ^ r^'‘ \ 



This completes the description of algorithm B. 
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It is easy to modify this algorithm for homomorphic trapdoor permutations. 
Now the algorithm’s goal is not to find a claw, but to invert the permutation given 
by s on a given input z. Simply replace, when answering hash queries for c = 0, 
invocation of EvaluateG{s,r) with z * Evaluate{s,r). The a claw {x,y) allows B 
to recover the inverse of z under the permutation by computing z = x *■ (X/y), 
where 1/y is the inverse of y under *. 

Finally, it is also easy to modify this algorithm for ordinary trapdoor permu- 
tations: 

— In answering hash queries where the challenge key s is outmost in s, instead 
of letting c = 0 with probability l/(gs -I- 1), set c = 0 for exactly one query, 
chosen at random. There can be at most Qh + Qs + ^ such queries. 

— For the c = 0 query, set w ^ z Q (r') ^ . Then w is random given Al’s view. 

— If Algorithm A’s forgery is such that = 0, B" outputs x <— 

In the full version of this paper [12], we show that B correctly simulates A’s 
environment, and analyze its running time and success probability. □ 



5 Aggregating with RSA 

Here we consider the details of instantiating the sequential aggregate signature 
scheme presented in Sect. 4 using the RSA permutation family. 

The RSA function was introduced by Rivest, Shamir, and Adleman [17]. 
If N = pq is the product of two large primes and ed = 1 mod then 

tt{x) = x^^ mod N is a permutation on Z]^, and tt~^{x) = x'^ mod N is its 
inverse. Setting s = {N, e) and t = (d) gives a one-way trapdoor permutation 
that is multiplicatively homomorphic. 

A few difficulties arise when we try to instantiate the above scheme with 
RSA. We tackle them individually. 

The first problem is that RSA is not a certified trapdoor permutation. Rais- 
ing to the power e may not be a permutation over if e is not relatively 
prime with 4>{N). Moreover, even if it is a permutation of Z^, it may not be 
a permutation of all of Zjv if is maliciously generated (in particular, if N is 
not square- free) . Note that, for maliciously generated N, the difference between 
Z]^ and Zjv may be considerable. The traditional argument used to dismiss this 
issue (that if one finds x outside Z](f, one factors N) has no relevance here: N 
may be generated by the adversary, and our ability to factor it has no impact on 
the security of the scheme for the honest signer who is using a different modulus. 
Our security proof substantially relied on the fact that even the adversarial pub- 
lic keys define permutations, for uniqueness of signatures and proper distribution 
of hash query answers. Indeed, this is not just a “proof problem,” but a demon- 
strable security concern: If the adversary is able to precede the honest user’s 
key {Ni, a) with multiple keys (A^i, ei), . . . , (Nj_i, ei_i), each of which defines a 
collision-prone function rather than a permutation, then it is quite possible that 
no matter value one takes for <7^, it will be likely to verify correctly: for example. 
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there will be two valid (Ti values, four valid (T2 values, eight valid (T3 values, . . . , 
2* valid (Ti values. 

One way to resolve this problem is to make sure that every key participating 
in an aggregate signature has been verified to be of correct form. This could 
be accomplished by having a trusted certification authority check that is a 
product of two large primes and e is relatively prime to before issuing a 

certificate. This check, however, requires one to place more trust in the authority 
than usual: the authority must be trusted not just to verify the identity of a key’s 
purported owner, but also to perform verification of some complicated properties 
of the key. Moreover, the security of an honest signer can be compromised without 
the signer’s knowledge or participation by dishonest signers whose keys are of 
incorrect form, when the dishonest signers form an aggregate signature that 
verifies with the honest signer’s public key. The only way to prevent this is to 
trust that the verifier of the aggregate signature only accepts certificates from 
certification authorities who verify the correctness of the key. 

In the case when it is best to avoid assuming such complex trust relationships, 
we propose to tackle this problem in the same way as Micali et al. [13], though 
at the expense of longer verification time. First, we require e to be a prime larger 
than N (this idea also appeared in Cachin et al. [7]). Then it is guaranteed to 
be relatively prime with (j){N), and therefore provide a permutation over Z^. 
To extend to a permutation over Z^r, we define Evaluate{{N,e),x) as follows: if 
gcd(x, iV) = 1, output X® mod N] else output x. 

The second problem is that the natural choice for the group operation ©, 
multiplication, is not actually a group operation over Z^r. Thus, signature ver- 
ification, which requires computation of an inverse under ©, may be unable to 
proceed. Moreover, our security proof, which relies on the fact that © is a group 
operation for uniqueness of signatures and proper distribution of hash query 
answers, will no longer hold. This difficulty is simple to overcome: Use addition 
modulo N as the group operation ©. Recall that no properties were required 
of © beyond being a group operation on the domain. 

The third problem is that two users cannot share the same modulus N. Thus 
the domains of the one-way permutations belonging to the aggregating users 
differ, making it difficult to treat RSA as a family of trapdoor permutations. 
We give two approaches that allow us to create sequential aggregates from RSA 
nonetheless. 

The first approach is to require the users’ moduli to be arranged in increasing 
order: Ni < N 2 ■ ■ ■ < Nn- At verification, it is important to check that the z-th 
signature Ui is actually less than Ni, to ensure that correct signatures are unique 
if H is fixed. As long as logA^i — log Nn is constant, and the range of i? is a 
subset of Zatj^ whose size is a constant fraction of Ni , the scheme will be secure. 
The same security proof still goes through, with the following minor modification 
for answering hash queries. Whenever a hash query answer w is computed by 
first choosing a random r in Zjv. , there is a chance that w will be outside of the 
range of H . In this case, simply repeat with a fresh random r until w falls in the 
right range (the expected number of repetitions is constant) . Note that because 
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we insisted on Evaluate being a permutation and © being a group operation, 
the resulting distribution of w is uniform on the range of H. Therefore, the 
distribution of answers to hash queries is uniform. Since signatures are uniquely 
determined by answers to hash queries, the adversary’s whole view is correct, 
and the proof works without other modifications. (This technique is related to 
Coron’s partial-domain hash analysis [9], though Coron deals with the more 
complicated case when the partial domain is exponentially smaller than the full 
domain.) 

Our second approach allows for more general moduli: We do not require them 
to be in increasing order. However, we do require them to be of the same length I 
(constant differences in the lengths will also work, but we do not address them 
here for simplicity of exposition). The signature will expand by n bits 6i . . . 6„, 
where n is the total number of users. Namely, during signing, if at > iVi+i, let 
bi = 1] else, let bi = 0. During verification, if 6^ = 1, add fVi+i to ai before 
proceeding with the verification of ai. Always check that ai is in the correct 
range 0 < ai < Ni (to ensure, again, uniqueness of signatures). The security 
proof requires no major modifications.^ 

To summarize, the resulting RSA aggregate signature schemes for n users 
with moduli of length I are as follows. Let H : {0, 1}* ^ {0, 1}*”^ be a hash 
function. 

Restricted Moduli. We first present the scheme where the moduli must be or- 
dered. 

Key Generation. Each user i generates an RSA public key {Ni, Ci) and secret 
key {Ni, di), ensuring that 2^“^(1 + {i — l)/n) < Ni < + i/n) and that 

Ci > Ni is a prime. 

Signing. User i is given an aggregate signature a' , the messages Mi, . . . , Mi-i, 
and the corresponding keys (Ni, ei), . . . , (W_i, ei_i). User i first verifies a', 
using the verification procedure below. If the verification succeeds, user i 
computes h^ = M((Mi, . . . , Mj), ((Ni, ei), . . . , (W, e*))), y = + a' and 

outputs cr = mod W. The user may first check that gcd(y, N) = 1 and, 
if not, output y; however, the chances that the check will fail are negligible, 
because the user is honest. 

Verifying. The verifier is given as input an aggregate signature a, the mes- 
sages Ml, . . . , Mi, and the corresponding keys (Ni, ei), . . . , {Ni, a), and pro- 
ceeds as follows. Check that no key appears twice, that Cj > W is a prime 
and that Ni is of length I (this needs to be checked only once per key, 
and need not be done with every signature verification), and that 0 < 
a < Ni. If gcd{a,Ni) = 1, let y ^ cr®* mod N^. Else let y ^ cr (this 

^ We need to argue that correct signatures are unique given the hash answers. At hrst 
glance it may seem that the adversary may have choice on whether to use bi = 0 
or bi = 1. However, this will result in two values ai-i that are guaranteed to be 
different: one will be less than Ni and the other at least Ni. Hence uniqueness of 
(Ti_i implies uniqueness of bi and, therefore, ai. Thus, by induction, signatures are 
still unique. In particular, there is no need to include bi in the hash function input. 
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check is crucial, because we do not know if user i is honest). Compute 
hi ^ . . . ,Mj), ((iVi,ei), . . . , {Ni,ei))) and a' ^ y-h^ mod Ni. Ver- 

ify a' recursively. The base case for recursion is z = 0, in which case simply 
check that ct = 0. 

Unrestricted Moduli. We present the scheme for unordered moduli by simply 
demonstrating the required modifications. First, the range of Ni is now < 
Ni < 2b Second, to sign, upon verifying a', check if a' > Ni. If so, replace a' 
with a' — Ni and set bi = 1; else, set bi = 0. Finally, to verify, replace <j' with 
a' + biNi before proceeding with the recursive step. 

Security. Because RSA over is homomorphic with respect to multiplication, 
it is claw- free (not just over but over entire Z^r, because finding a claw out- 
side of Z^ implies factoring N and hence being able to invert RSA). Therefore, 
the conclusions of Theorem 4 apply to this scheme. 
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Abstract. We consider the scenario where Alice wants to send a se- 
cret (classical) n-bit message to Bob using a classical key, and where 
only one-way transmission from Alice to Bob is possible. In this case, 
quantum communication cannot help to obtain perfect secrecy with key 
length smaller then n. We study the question of whether there might 
still be fundamental differences between the case where quantum as op- 
posed to classical communication is used. In this direction, we show that 
there exist ciphers with perfect security producing quantum ciphertext 
where, even if an adversary knows the plaintext and applies an optimal 
measurement on the ciphertext, his Shannon uncertainty about the key 
used is almost maximal. This is in contrast to the classical case where 
the adversary always learns n bits of information on the key in a known 
plaintext attack. We also show that there is a limit to how different the 
classical and quantum cases can be: the most probable key, given match- 
ing plain- and ciphertexts, has the same probability in both the quantum 
and the classical cases. We suggest an application of our results in the 
case where only a short secret key is available and the message is much 
longer. Namely, one can use a pseudorandom generator to produce from 
the short key a stream of keys for a quantum cipher, using each of them 
to encrypt an n-bit block of the message. Our results suggest that an 
adversary with bounded resources in a known plaintext attack may po- 
tentially be in a much harder situation against quantum stream-ciphers 
than against any classical stream-cipher with the same parameters. 



1 Introduction 

In this paper, we consider the scenario where Alice wants to send a secret (clas- 
sical) n-bit message to Bob using an m-bit classical shared key, and where only 
one-way transmission from Alice to Bob is possible (or at least where interaction 
is only available with a prohibitively long delay). If interaction had been avail- 
able, we could have achieved (almost) perfect secrecy using standard quantum 
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key exchange, even if m < n. But with only one-way communication, we need 
m > n even with quantum communication [1] . 

We study the question of whether there might still be some fundamental dif- 
ferences between the case where quantum as opposed to classical communication 
is used. In this direction, we present two examples of cryptosystems with perfect 
security producing n-bit quantum ciphertexts, and with key length m = n + 1, 
respectively m = 2n. We show that given plaintext and ciphertext, and even 
when applying an optimal measurement to the ciphertext, the adversary can 
learn no more than n/2, respectively 1 bit of Shannon information on the key. 
This should be compared to the fact that for a classical cipher with perfect secu- 
rity, the adversary always learns n bits of information on the key. While proving 
these results, we develop a method which may be of independent interest, for 
estimating the maximal amount of Shannon information that a measurement 
can extract from a mixture. We note that the first example can be implemented 
without quantum memory, it only requires technology similar to what is needed 
for quantum key exchange, and is therefore within reach of current technology. 
The second example can be implemented with a circuit of 0{rt’) gates out of 
which only 0{n^) are elementary quantum gates. 

We also discuss the composition of ciphers, i.e., what happens to the uncer- 
tainty of keys when the same quantum cipher is used to encrypt several blocks 
of data using independent keys. This requires some care, it is well known that 
cryptographic constructions do not always compose nicely in the quantum case. 
For composition of our ciphers, however, a rather simple argument shows that 
the adversary’s uncertainty about the keys grows with the number of blocks 
encrypted exactly as one would expect classically. 

On the other hand, we show that there is a limit to how different the quantum 
and classical cases can be. Namely, the most probable key (i.e. the min-entropy 
of the key), given matching plain- and ciphertexts, has the same probability in 
both cases. 

On the technical side, a main observation underlying our results on Shan- 
non key-uncertainty is that our method for estimating the optimal measurement 
w.r.t. Shannon entropy can be combined with known results on so called en- 
tropic uncertainty relations [5,3,7] and mutually unbiased bases [8]. We note 
that somewhat related techniques are used in concurrent independent work by 
DiVincenzo et al. [2] to handle a different, non-cryptographic scenario. 

While we believe the above results are interesting, and perhaps even some- 
what surprising from an information theoretic point of view, they have limited 
practical significance if perfect security is the goal: a key must never be reused, 
and so we do not really have to care whether the adversary learns information 
about it when it is used. 

However, there is a different potential application of our results to the case 
where only a short secret key is available, and where no upper bound on the 
message length is known a priori. In such a case, only computational security 
is possible and the standard classical way to encrypt is to use a stream-cipher: 
using a pseudorandom generator, we expand the key into a long random looking 
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keystream, which is then combined with the plaintext to form the ciphertext. 
The simplest way of doing such a combination is to take the bit-wise XOR of key 
and plaintext streams. In a known plaintext attack, an adversary will then be 
able to learn full information on a part of the keystream and can try to analyze 
it to find the key or guess other parts of the keystream better than at random. 
In general, any cipher with perfect secrecy, n-bit plain- and ciphertext and m- 
bit keys can be used: we simply take the next m bits from the keystream and 
use these as key in the cipher to encrypt the next n bits of the plaintext. It is 
easy to see that for any classical cipher, if the adversary knows some n-bit block 
of plaintext and also the matching ciphertext, then he learns n bit of Shannon 
information on the keystream. 

If instead we use quantum communication and one of our quantum ciphers 
mentioned above, intuition suggests that an adversary with limited resources is 
in a more difficult situation when doing a known plaintext attack: if measuring 
the state representing the ciphertext only reveals a small amount of information 
on the corresponding part of the keystream, then the adversary will need much 
more known plaintext than in the classical case before being able to cryptanalyze 
the keystream. 

Care has to be taken in making this statement more precise: our results on 
key uncertainty tell us what happens when keys are random, whereas in this 
application they are pseudorandom. It is conceivable that the adversary could 
design a measurement revealing more information by exploiting the fact that the 
keystream is not truly random. This, however, is equivalent to cryptanalyzing 
the generator using a quantum computation, and is likely to be technologically 
much harder than implementing the quantum ciphers. In particular, unless the 
generator is very poorly designed, it will require keeping a coherent state much 
larger than what is required for encryption and decryption - simply because one 
will need to involve many bits from the keystream simultaneously in order to dis- 
tinguish it efficiently from random. Thus, an adversary limited to measurements 
involving only a small number of qubits will simply have to make many such 
measurements, hoping to gather enough classical information on the keystream 
to cryptanalyze it. Our results apply to this situation: first, since the adversary 
makes many measurements, we should worry about what he learns on average, 
so Shannon information is the appropriate measure. Second, even though the 
keystream is only pseudorandom, it may be genuinely random when considering 
only a small part of it (see Maurer and Massey [4]). 

In Sect. 9, we prove a lower bound on the amount of known plaintext the 
adversary would need in order to obtain a given amount of information on the 
keystream, for a particular type of keystream generator and assuming the size 
of coherent states the adversary can handle is limited. We believe that quantum 
communication helps even for more general adversaries and generators. However, 
quantifying this advantage is an open problem. We stress that our main goal here 
is merely to point out the potential for improved security against a bounded 
adversary. 
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2 Preliminaries 

We assume the reader is familiar with the standard notions of Shannon entropy 
H{-) of a probability distribution, conditional entropy, etc. A related notion 
that also measures “how uniform” a distribution is, is the so called min-entropy. 
Given a probability distribution {pi, ...,p„}, the min-entropy is defined as 

H^{pi,...,Pn) = -log2{max{pi,...,Pn}) ( 1 ) 

As usual, Hao{X) for random variable X is the min-entropy of its distribution. 
Min-entropy is directly related to the “best guess” probability: if we want to guess 
which value random variable X will take, the best strategy is to guess at a value 
with maximal probability, and then we will be correct with probability 
Given the value of another random variable Y, we can define Hao{X\Y = y) sim- 
ply as the min-entropy of the distribution of X given that Y = y, and similarly 
to Shannon entropy, we can define Hao{X\Y) = Pf{Y = y) ■ Hoo{X\Y = y). 

The min-entropy can be thought of as a worst-case measure, which is more 
relevant when you have access to only one sample of some random experiment, 
whereas Shannon entropy measures what happens on average over several ex- 
periments. To illustrate the difference, consider the two distributions (1/2, 1/2) 
and (1/2, 1/4, 1/4). They both have min-entropy 1, even though it intuitively 
seems there should be more uncertainty in the second case, indeed the Shannon 
entropies are 1 and 1.5. In fact, we always have H{X) > Hao{X), with equality 
if X is uniformly distributed. 



3 Classical Ciphers 

Gonsider a classical cryptosystem with n-bit plain and ciphertexts, m-bit keys 
and perfect secrecy (assuming, of course, that keys are used only once). We 
identify the cryptosystem with its encryption function We call this an 

(to, n)-cipher for short. 

Definition 1. Consider an (m,n)-cipher E. We define the Shannon key-uncer- 
tainty of E to be the amount of Shannon entropy that remains on an m-bit key 
given n-bit blocks of plain- and ciphertexts, i.e. H{K\P,C), where K,P,C are 
random variables corresponding to the random choices of key, plaintext and ci- 
phertext blocks for E, and where the key is uniformly chosen. The min-entropy 
key-uncertainty ofE is defined similarly, but w.r.t. min-entropy, as Hoo{K\P,C). 

From the definition, it may seem that the key uncertainties depend on the dis- 
tribution of the plaintext. Fortunately, this is not the case. The key-uncertainty 
in the classical case is easy to compute, using the following slight generalization 
of the classical perfect security result by Shannon: 

Proposition 1. Let E be a cipher with perfect security, and with plaintext, 
ciphertext and keyspace V,C,IC, where \V\ = \C\. Furthermore, assume that keys 
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are chosen uniformly. For any such cipher, it holds that the distribution of the 
key, given any pair of matching ciphertext and plaintext is uniform over a set of 
\IC\/\V\ keys. 

Proof. By perfect security, we must have \JC\ > \V\. Now, let us represent the 
cipher in a table as follows: we index rows by keys and columns by plaintexts, 
and we fill each entry in the table with the ciphertext resulting from the key 
and plaintext on the relevant row and column. Then, since correct decryption 
must be possible and \V\ = |C|, each ciphertext appears exactly once in each 
row. Fix any ciphertext c, and let tc be the number of times c appears in, say, 
the first column. Since the probability distribution of the ciphertext must be the 
same no matter the plaintext, c must appear tc times in every column. Since 
it also appears in every row, it follows that the length of a column satisfies 
\JC\ = tc\V\. So tc = |/C|/|7^| is the same for every c. If we know a matching 
plaintext /ciphertext pair, we are given some c and a column, and all we know is 
that the key corresponds to one of the tc possible rows. The proposition follows. 

□ 

Corollary 1. For any classical {rn,n)- cipher, both the Shannon- and min-en- 
tropy key-uncertainty is m — n bits. 

This result shows that there is no room for improvement in classical schemes: 
the natural constraints on (m, n)-ciphers imply that the key-uncertainty is always 
the same, once we fix m and n. As we shall see, this is not true for quantum 
ciphers. Although they cannot do better in terms of min-entropy key uncertainty, 
they can when it comes to Shannon key-uncertainty. 

4 Quantum Ciphers and Min-Entropy Key-Uncertainty 

In this section, we consider quantum ciphers which encrypt classical messages 
using classical keys and produce quantum ciphers. 

We model both the encryption and decryption processes by unitary opera- 
tions on the plaintext possibly together with an ancilla. This is the same model 
as used in [1], with the restriction that we only encrypt classical messages. 

Definition 2 ((to, n)-quantum cipher). A general (to, n)-quantum cipher is 
a tuple (V,£), such that 

— V is a finite set of orthonormal pure- states (plaintexts) in the Flilbert 
space Ti., and ||7^|j = N and N = 2”. 

— £ = {Efc : > 7t| fc = 1, . . . , M} is a set of unitary operators (encryptions) , 

and M = 2"*. Decryption using key k is performed using E|,. 

And the following properties hold: 

— Key hiding: (Vfc, k' € {1, . . . , M}), 

lEfc|a)|0)(0|(a|Et = ^ lEfc,|a)|0)(0|(a|Et . 
aev aev 



( 2 ) 
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— Data hiding: (V|a), |6) S V), 

M ^ ^ 

^ -Efe|a)|0)(0|(a|El = ^ -E,\b)\0){0\{b\El (3) 

k=l k=l 

The key and data hiding properties guarantee that an adversary cannot gain 
any information about the key and message respectively when an arbitrary ci- 
phertext is seen. In [1], it was shown that data hiding implies that m> n. 

The key hiding property states that an adversary with no information on the 
message encrypted expects to see the same ensemble no matter what key was 
used. We denote this ensemble 

p=^lE,|a)|0)(0|(a|Et, (4) 

aeV 

for any A:S{l,2,...,M}.As motivation for the key-hiding property, we mention 
that it is always satisfied if ciphertexts are as short as possible {dim{Ti) = 2”). 
On the other hand, if the key-hiding property does not hold then the cipher- 
state on its own reveals information about the secret-key. This is certainly an 
unnecessary weakness that one should avoid when designing ciphers. 

The data hiding property states that the adversary expects to see the same 
ensemble no matter what message was encrypted. We denote this ensemble 

M 

fe=l ^ 

for any a €V. We first prove that p = a. 

Lemma 1. p = a. 

Proof. Define the state 

M 

^ = EE A^E,|a)|0)(0|(a|El. (6) 

k—1 a£V 



Observe that 

M ^1 

^ = E E A^Efc|a)|0)(0|(a|E^ ^J2mP = P' (^) 

k=lae'P k=l 

Similarly, when switching the sums in (6), we get f = a. We conclude that p = <j. 

□ 

We are now ready to prove that for any (m, n)-quantum cipher there exists 
a measurement that returns the secret key with probability 2”“"* given any 
plaintext and its associated cipher-state. In other words and similarly to the 
classical case, the min-entropy key-uncertainty of any (m, n)-quantum cipher is 
at most m — n. 
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Theorem 1 (Min-entropy key uncertainty). Let {V,£) be an {m,n)-quan- 
tum eipher, encoding the set V. Then 

{\fa&V){3 POVM{M,}fi,){\fke{l,...,M})[tr{Mk£k{\a){a\))=2^-^]. (8) 

Proof. Let |a) S 7^ be given. Consider the set Al = {Mfe= ^Efc|a)|0)(0|(a|E^ | k = 
1, . . . , M}. Lemma 1 gives 

M M 

= E ^Efe|a)|0)(0|(a|Ei = Na = Np. (9) 

fc=i k=i 

Since the plaintexts are orthogonal quantum states, and since unitary op- 
erators preserve angles, we have that N W Efc|a)|0)(0|(a|E^ is the eigen 

decomposition of N p, and that 1 is the only eigenvalue. Therefore there exists a 
positive operator P such that Np+ P = 1 , and thus 

M 

'^Mk + P = Np+P = l, (10) 

fc=i 

and M.yj{P} (and therefore also A^) is a valid POVM. 

The probability of identifying the key with the measurement Ad is 

tr(MfeEfe|a)|0)(0|(a|Et) = tr(^Efc|a)|0)(0|(a|EiEfe|a)|0)(0|(a|El) 

= ^tr(Efc|a)|0)(0|(a|E^) 

e2n—m 



which proves the theorem. □ 

5 Some Example Quantum Ciphers 

In this section, we suggest a general method for designing quantum ciphers that 
can do better in terms of Shannon key-uncertainty than any classical cipher 
with the same parameters. The properties of our ciphers are analyzed in the 
next section. 

The first example is extremely simple: 

Definition 3. The Hn cipher is an (n -I- l,n)-quantum cipher. Given message 
bi,b 2 , . . . ,bn and key c, fci, . . . , it outputs the following n q-bit state as ci- 
phertext: 

(^®n)c(^fei (g) (g) . . . (g) X'^-\bib2 ...bn)), (12) 

where X is the bit-flip operator and H is the Hadamard transform. That is, we 
use the last n bits of key as a one-time pad, and the first key bit determines 
whether or not we do a Hadamard transform on all n resulting q-bits. 
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Decryption is trivial by observing that the operator 0 • • • 0 

is the inverse of the encryption operator. It is also easy to see that 
the data hiding property is satisfied: if c, fci, . . . , are uniformly random, then 
the encryption of any message produces the complete mixture (in fact this would 
be the case, already if only /ci, . . . , were uniformly random). 

This cipher can be described from a more general point of view: let B = 
{Bq, , i? 2 ‘-i} be a set of 2* orthonormal bases for the Hilbert space of dimen- 
sion 2". We require that the bases do not overlap, i.e., no unit vector occurs in 
more than one basis. For instance B could consist of the computational basis and 
the diagonal basis (i.e. {iF®"|cc)|x £ {0,1}"}). Let Ui be the unitary operator 
that performs a basis shift from the computational basis to the basis Bi. Finally, 
let [/ci, . . . , kt] be the number with binary representation ki, . . . ,kf. Then we can 
define an (n -|- t, n)-cipher Cg which on input a key c\, . . . ,Ct,ki, . . . ,kn and a 
plaintext 6i , . . . , outputs 



The Hn-dpher above is a special case with Uq = Id,Ui = iL®". Using arguments 
similar to the above, it is easy to see that 

Lemma 2. For any set of orthonormal non- overlapping bases B, Cb is a quan- 
tum cipher satisfying the data hiding and unique decryption properties. 

The lemma holds even if B contains only the computational basis, in which 
case Cb is equivalent to the classical one-time pad. The point of having several 
bases is that if they are well chosen, this may create additional confusion for the 
adversary, so that he will not learn full information on the key, even knowing 
the plaintext. We shall see this below. 

For now, we note that Wootters and Fields have shown that in a Hilbert 
space of dimension 2", there exists 2” -|- 1 orthonormal bases that are mutually 
unbiased, i.e., the inner product between any pair of vectors from different bases 
has norm 2“"/^. Using, say, the first 2” of these bases, we get immediately from 
the construction above a (2n,n) cipher: 

Definition 4. The Wn-cipher is the cipher Cb obtained from the above con- 
struction when B is the set of 2" mutually unbiased bases obtained from [8]. 

5.1 Efficient Encoding/Decoding 

In this section we look at how to implement Wn efficiently. In [8] , a construction 
for 2" -I- 1 mutually unbiased bases in the space of n qubits is given. In the 
following, we denote by Vg with s,r £ {0,1}" the s-th vector in the r-th 

(T*) 

mutually unbiased basis. We write Vg ^ in the computational basis as. 



\b1b2 . . . 6 „)). 



(13) 




Zg{o,i} 



( 14 ) 
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where = 1- Wootters and Field[8] have shown that 2” mutually 

unbiased bases are obtained whenever 

(v'P)^ = (15) 

for a a vector of n matrices each of dimensions n x n with elements in {0,1}. 
The arithmetic in the exponent of i should be carried out over the integers (or 
equivalently mod 4) . The elements of a are defined by 

n 

/*/i = (16) 

m—1 

where {/i}f=i is a basis for GF{T^) when seen as a vector space. Therefore, a. 
can be computed on a classical computer (and on a quantum one) in O(n^). 

Let c = Cl , . . . , c„ and k = ki, kn he the 2n bits of key with c defining one 
out of 2” mutually unbiased basis and k defining the key for the one-time-pad 
encoding. The circuit for encrypting classical message a starts by computing: 

l^fe) ^ ^ ^ 2-"/2 ^(-1)(“®'=)'^|Z). (17) 

I 

The state (17) differs from (14) only with respect to the phase factor {r-a.)l 
in front of each \l) with r = c. Transforming (17) into (14) (i.e. that is trans- 
forming IV'J) ^ ^)) can easily be achieved using a few controlled operations 

as described in App. A. The complexity of the quantum encryption circuit is 
O(n^) out of which only O(n^) are quantum gates. The decryption circuit is the 
same as for the encryption except that it is run in reverse order. A similar en- 
cryption/decryption circuit can easily be implemented for any Cg-cipher where 
is a set of mutually unbiased bases. 



6 Optimal Measurements w.r.t. Shannon Entropy 

Our ultimate goal is to estimate the Shannon key-uncertainty of an (m, n)- 
quantum cipher, i.e., the amount of entropy that remains on the key after making 
an optimal measurement on a ciphertext where the plaintext is given. But actu- 
ally, this scenario is quite general and not tied to the cryptographic application: 
what we want to answer is: given a (pure) state chosen uniformly from a given 
set of states, how much Shannon entropy must (at least) remain on the choice 
of state after having made a measurement that is optimal w.r.t. minimizing the 
entropy? 

So what we should consider is the following experiment: choose a key k € 1C 
uniformly. Encrypt a given plaintext p under key k to get state \ck) (we assume 
here for simplicity that this is a pure state). Perform some measurement (that 
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may depend on p) and get outcome u. Letting random variables K, U correspond 
to the choices of key and outcome, we want to estimate 

= = ^)H{K\U = u). (18) 



Now, H(K\U = u) is simply the Shannon entropy of the probability distribution 
{Pr{K = k\U = u)\k G K.}. By the standard formula for conditional probabili- 
ties, we have 



^ ^ ^ Pr(U = ulK = k)Pr(K = k) 

Pr(U = u) 



(19) 



Note that neither Pr{U = u), nor Pr{K = k) depend on the particular value of 
k (since keys are chosen uniformly). 

The measurement in question can be modeled as a POVM, which without loss 
of generality can be assumed to contain only elements of the form a„|u)(u|, i.e., 
a constant times a projection determined by a unit vector |u). This is because 
the elements of any POVM can be split in a sum of scaled projections, leading 
to a measurement with more outcomes which cannot yield less information than 
the original one. It follows immediately that 



Pr{U = u\K = k) = |a„p|(M|cfc)p. 



( 20 ) 



Note that also the factor |a„p does not depend on k. Then by (19) and (20), we 
get 

1 =j:pr(K = nu = „) pi) 

leK. ^ ^ leK. 

Which means that we have 

In other words, H{K\U = u) can be computed as follows: compute the set of 
values {|(u|cfe)p|A: G K.}, multiply by a normalization factor so that the resulting 
probabilities sum to 1, and compute the entropy of the distribution obtained. 
We call the resulting entropy H[\u), S'k], where Sk is the set of states that may 
occur {|cfc)|A: G K.}. This is to emphasize that H[\u), Sk] can be computed only 
from |m) and Sk, we do not need any information about other elements in the 
measurement. From (18) and H{K\U = u) = H[\u),Sk] follows immediately 

Lemma 3. With notation as above, we have: 



H{K\U) > min^u){H[\u), 5^]}, (23) 

where |u) runs over all unit vectors in the space we work in. 

This bound is not necessarily tight, but it will be, exactly if it is possible to 
construct a POVM consisting only of (scaled) projections a„|u)(u|, that minimize 
H[\u), Sk]. In general, it may not be easy to solve the minimization problem 
suggested by the lemma, particularly if Sk is large and lives in many dimensions. 
But in some cases, the problem is tractable, as we shall see. 
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7 The Shannon Key-Uncertainty of Qnantnm Ciphers 

In this section we study the cipher Cg that we constructed earlier based on a 
set of 2‘ orthonormal bases B. For this, we first need a detour: each basis in 
our set defines a projective measurement. Measuring a state |u) in basis Bi G B 
produces a result, whose probability distribution depends on |it) and Bi. Let 
H[\u),Bi] be the entropy of this distribution. We define the Minimal Entropy 
Sum (MES) of B as follows: 



2‘-l 

MES{B) = min\u}{ Y. H[Iu),B.]], (24) 

i=0 

where \u) runs over all unit vectors in our space. Lower bounds on the minimal 
entropy sum for particular choices of B have been studied in several papers, 
under the name of entropic uncertainty relations [5,7,3]. This is motivated by 
the fact that if the sum is large, then it is impossible to simultaneously have 
small entropy on the results of all involved measurements. One can think of this 
as a “modern” version of Heisenberg’s uncertainty relations. It turns out that 
the key uncertainty of Cg is directly linked to MES{B): 

Lemma 4. The Shannon key uncertainty of the cipher Cg (with 2* bases) is at 
least MES{B)/2* + t. 

Proof. We may use Lemma 3, where the set of states Sk in our case consists of 
all basis states belonging to any of the bases in B. To compute H[\u),Sk], we 
need to consider the inner products of unit vector |m) with all vectors in Sk- In 
our case, this is simply the coordinates of \u) in each of the 2‘ bases, so clearly 
the norm squares of the inner products sum to 2‘. Let Zij be the i’th vector in 
the j’th basis from B. We compute as follows: 

2‘-12"-l .. 

H[\u),Sk]=Y. E ^IH^u)Plog(2‘|(u|z.,)|-2) 

j—0 i—0 

2*-12"-l .. 2*-12"-l .. 

= E E ^i(«i%-)i'iog(i(«i%-)r') + E E ^i(«i^u)i^iog(2‘) 

j—O i— 0 j—0 i—0 

2‘-12"-1 2*-12"-l 

= ^E E i(“i%')i^iog(i(“i%)r^) E E 

i—0 j—0 i=0 

2* — 1 

= ^ E i > l^MESiB) + t. 

j=o 

( 25 ) 



The lemma follows. 



□ 
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We warn the reader against confusion about the role of \u) and B at this point. 
When we estimate the key uncertainty of Cg, we are analyzing a POVM, where 
\u) is one of the unit vectors defining the POVM. But when we do the proof of 
the above lemma and use the entities H[\u),Bj], we think instead of |m) as the 
vector being measured according to basis Bj. There is no contradiction, however, 
since what matters in both cases is the inner products of |u) with the vectors 
in the bases in B. We are now in a position to give results for our two concrete 
ciphers and Wn defined earlier. 

Theorem 2. The Hn-cipher has Shannon key-uncertainty n/2 + 1 bits. 

Proof. The main result of [5] states that when S is a set of two mutually unbiased 
bases in a Hilbert space of dimension 2" then MES{B) > n. Using Lemma 4, 
it follows that has Shannon key-uncertainty at least n/2 1. Moreover, 

there exists measurements (i.e. for example the Von Neumann measurement in 
either the rectilinear or Hadamard basis) achieving n/2 -|- 1 bit of Shannon key- 
uncertainty. The result follows. □ 

For the case of Wn, we can use a result by Larsen [3]. He considers the proba- 
bility distributions induced by measuring a state |n) in iV-|- 1 mutually unbiased 
bases, for a space of dimension N. Let the set of bases be Hi, ... , Hat+i, and 
let T^\u),i be the collision probability for the Tth distribution, i.e., the sum of the 
squares of all probabilities in the distribution. Then Larsen’s result (actually a 
special case of it) says that 

Af-l-l 

= 2 (26) 

i=l 

In our case, N = 2". However, to apply this to our cipher Wn, we would like to 
look at a set of only 2" bases and we want a bound on the sum of the entropies 
H^u),Bi\ and not the sum of the collision probabilities. This can be solved 
following a line of arguments from Sanchez- Ruiz [7]. Using Jensen’s inequality, 
we can compute as follows: 

N N 

'^H[\u),Bi\ > -^l0g7T|„),i 
i=l i=l 




Together with Lemma 4 we get: 

Theorem 3. The Wn-cipher has Shannon key-uncertainty at least 2n — 1 bits. 
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The result stated here is only a lower bound on the key uncertainty for Wn- 
Given what we know, however, it is very plausible to conjecture that the minimal 
entropy sum of a set of 2* mutually unbiased bases in a space of dimension 2” 
is (2‘ — l)n bits, or at least very close to this value. This is true for t = 1 and 
we know that for t = n, the sum is at least 2^{n — 1). 

Conjecture 1. Let ,S be a set of 2” mutually unbiased bases of a space of dimen- 
sion 2". Then MES{B) = (2" - l)n bits. 

Under this conjecture, cipher Wn has almost full Shannon key-uncertainty: 

Lemma 5. Under Conjecture 1, Wn has Shannon key-uncertainty 2n — n2“" 
bits. 

The Hn and W„-ciphers represent two extremes, using the minimal non- 
trivial number of bases, respectively as many of the known mutually unbiased 
bases as we can address with an integral number of key bits. It is not hard to 
define example ciphers that are “in between” and prove results on their key- 
uncertainty using the same techniques as for Wn- However, what can be derived 
from Larsen’s result using the above line of argument becomes weaker as one 
considers a smaller number of bases. 

8 Composing Ciphers 

What happens to the key uncertainty if we use a quantum cipher twice to en- 
crypt two plaintext blocks, using independently chosen keys? Intuition based on 
classical behavior suggests that the key uncertainty should now be twice that 
of a single application of the cipher, since the keys are independent. But in the 
quantum case, this requires proof: the adversary will be measuring a product 
state composed of the state of the two ciphertext blocks, and may make a co- 
herent measurement involving both blocks simultaneously. This may in general 
produce results different from those obtained by measuring blocks individually. 
In our case, however, a simple information theoretic argument shows that the 
key uncertainty will still be what one might expect: 

For any quantum (to, n)-cipher C, let C'^ be the cipher composed v times with 
itself, i.e., we encrypt v blocks of plaintext using v independently and randomly 
chosen keys. We have 

Theorem 4. Let C be a quantum {m,n) -cipher with Shannon key-uncertainty 
h. The Shannon key-uncertainty of C" is at least v ■ h. 

Proof. Consider the following random experiment: choose v keys for C indepen- 
dently, represented by random variables ..., Ky. Encrypt an arbitrary u-block 
plaintext p using C” and K\,...,Ky as key. Perform some measurement M. on 
the ciphertext, where M. may be chosen as a function of p. Let the measurement 
result be represented by random variable Tjvi . We will assume that given p, we 
choose a measurement A4p so that the Shannon key-uncertainty on Ki, . . . , Ky 
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provided by y^p(i.e. H{Ki, . . . ^Ky\YMp)) is minimum. Since the KiS are in- 
dependent, we have 

mm(iL(ifi,...,K„|y^J) =mm . (28) 

We can then estimate each term H{Ki\YMp) for fixed p and i by consid- 
ering a different experiment: suppose we are given a single ciphertext block Ci 
produced by C from a plaintext block pi where pi is the f’th block of p. Then, 
choose V — I keys {Kj\j = 1, ..,u, j ^ i} at random, encrypt the j’th block of p 
(except Pi) under Kj to get ciphertext block Cj, and perform measurement Mp 
on the concatenation of Ci , . . . , c„ (including the block Ci we received as input) . 
Clearly, the state measured is the same mixture as in the first experiment, and 
so the result will have the same distribution as hfoip- On other hand, this sec- 
ond experiment is equivalent to performing a measurement with ancilla on c^. 
It follows that by assumption on C, H{Ki\YMp) > h. Combining this with (28) 
gives the desired result. □ 

9 Application to Stream-Ciphers 

We can use the quantum ciphers we just described to build a (computationally 
secure) quantum stream-cipher using a short key K of length independent from 
the message length. In fact, any (m,n)-cipher and classical pseudorandom gen- 
erator can be used: we seed the generator with key K, and use its output as a 
keystream. To encrypt, we simply take the next m bits from the keystream and 
use these as key in the cipher to encrypt the next n bits of the plaintext. 

Since an (to, n)-cipher has perfect security, this construction would have per- 
fect security as well if the keystream was genuinely random. By a standard 
reduction, this implies that breaking it is at least as hard as distinguishing the 
output of the generator from a truly random string. 

All this is true whether we use a classical or an (to, n)-quantum cipher. How- 
ever, by our results on Shannon key-uncertainty, the adversary is in a potentially 
much harder situation in the quantum case. For intuition on this, we refer to the 
discussion in the introduction. As a more concrete illustration, we consider the 
following scenario: 

1. We have a pseudorandom generator G, expanding a /c-bit seed K into an 
Wbit sequence G{K). Furthermore, any subset containing at most e bits 
of G{K) is uniformly random. Finally, no polynomial time (in k) classical 
algorithm can with non-negligible advantage distinguish G{K) from a truly 
random sequence when given any piece of data that is generated from G{K) 
and contains at most t bits of Shannon information on G{K). Both e and t 
are assumed to be polynomial in k. 

2. Coherent measurements simultaneously involving p qubits or more are not 
possible to implement in practice. However, technology has advanced so that 
the Wn-cipher can be implemented for some n « p. 
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3. We will consider an adversary that first obtains some amount of known plain- 
text. Given the plaintext, he decides on a number of complete measurements 
that he executes on parts of the ciphertext (under the constraints of assump- 
tion 2). For simplicity we assume that each measurement involves an integral 
number of n-bit ciphertext blocks.^ Finally he executes any polynomial time 
classical algorithm to analyze the results. 

The first assumption can be justified using a result by Maurer and Massey [4] on 
locally random pseudorandom generators. Their result asserts that there exists 
pseudorandom generators satisfying the assumption that any e bits are genuinely 
random, provided e < /c/log 2 N. Their generators may not behave well against 
attacks having access to more than e bits of the sequence, but one can always xor 
the output from their generator with the output of a more conventional one using 
an independent key. This will preserve the local randomness. Note that the size 
of k does not influence the size of the quantum computer required for the honest 
party to encrypt or decrypt. The third assumption essentially says that we do 
not expect that results of (incomplete) measurements obtained on one part of 
the ciphertext will help significantly in designing measurements on other parts. 
This is justified, as long as not too many measurements are performed: as long 
as results from previous measurements contain less than t bits of information on 
the keystream, then by assumption 1, these results might (from the adversary’s 
point of view) as well have been generated from measuring a random source, 
and so they do not help in designing the next measurement. This assumption 
can therefore be dropped in a more careful analysis since it esssentially follows 
from assumptions 1 and 2. For simplicity, we choose to make it explicit. 

Lemma 6. Assume we apply the Wn~ cipher for stream encryption using a pseu- 
dorandom generator and with an adversary as defined by assumptions 1,2, and 
1 above. Suppose we choose e = 2/r and k > 2fj,log2 N , then the adversary will 
need to obtain more than tn bits of known plaintext in order to distinguish the 
case of a real encryption from the case where the keystream is random. Assuming 
Conjecture 1, this number becomes t2" bits of known plaintext. 

Proof. Assume the PRG satisfies assumption 1 which is possible since k > 
elog 2 fV. By assumption 2, any attack that measures several blocks of cipher- 
text in one coherent measurement can handle at most p, = e/2 qubits at any 
one time. By construction, this ciphertext was created using less than e bits 
of the keystream, which is random by assumption 1. Therefore, the measure- 
ment will give the same result as when attacking the composition Wn"^ since 
the measurement involves v < pL qubits (since different blocks of the keystream 
are independent if the stream is truly random) and by assumption 1 . Hence, by 
Theorem 4 and 3 the adversary can learn at most v/n bits of information from 
each measurement, and under Gonjecture 1, at most u2“” bits. Hence, if the 

^ This assumption can be dropped so that we can still prove Lemma 6 using a more 
complicated argument and provided the local randomness of the generator is ex- 
panded from e to n^e 
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adversary has T bits of known plaintext, and hence measures T ciphertext bits, 
he needs to have T/n > t in order for the classical distinguisher to work, by 
assumption 1 (or T2“” > t under the conjecture). The lemma follows. □ 

This lemma essentially says that for a generator with the right properties, and for 
an adversary constrained as we have assumed, quantum communication allows 
using the generator securely to encrypt tn (t2") bits, rather than the t bits we 
would have in the classical case. A similar result can be shown for the cipher, 
saying that by using Hn, we gain essentially a factor 2 in plaintext size over the 
classical case. 

Of course, these result do not allow to handle adversaries as general as we 
would like, in particular our constraints are different from just assuming the 
adversary is quantum polynomial time. Nevertheless, we believe that the scenario 
we have described can be reasonable with technology available in the foreseeable 
future. Moreover, it seems to us that quantum communication should help even 
for more general adversaries and generators. Quantifying this advantage is an 
open problem. 

10 Conclusion and Open Problems 

We have seen that , despite the fact that quantum communication cannot help to 
provide perfect security with shorter keys when only one-way communication is 
used, there are fundamental differences between classical and quantum ciphers 
with perfect security, in particular the Shannon key uncertainty can be much 
larger in the quantum case. However, the min-entropy key-uncertainty is the 
same in the two cases. It is an open question whether encryption performed 
by general quantum operations allows for quantum ciphers to have more min- 
entropy key-uncertainty than classical ones. 

We have also seen an application of the results on Shannon key uncertainty 
to some example quantum ciphers that could be used to construct a quantum 
stream-cipher where, under a known plaintext attack, a resource-bounded ad- 
versary would be in a potentially much worse situation than with any classical 
stream-cipher with the same parameters. 

For the ciphers we presented, the Shannon key-uncertainty is known exactly 
for the iL„-cipher but not for the IT„-cipher. It is an interesting open question 
to determine it. More generally, is Conjecture 1 true? 



References 

1. A. Ambainis, M. Mosca, A. Tapp and R. de Wolf, Private Quantum Channels, 
Proceedings of the 41st Annual Symposium on Foundations of Computer Science, 
2000, pp. 547-553. 

2. D. DiVincenzo, M. Horodecki, D. Leung, J. Smolin and B. Terhal, Locking 
Classical Correlation in Quantum States, Phys. Rev. Letters,vol. 92, 067902, 2004. 

3. U. Larsen, Superspace Geometry: the exact uncertainty relationship between com- 
plementary aspects, J.Phys. A: Math. Gen. 23 (1990), pp. 1041-1061. 



On the Key-Uncertainty of Quantum Ciphers 107 



4. U. Maurer and J. Massey, Local Randomness in Pseudorandom Sequences, Jour- 
nal of Cryptology, vol. 4, 1991, pp. 135-149. 

5. H. Maassen and J. B. M. Uffink, Generalized Entropic Uncertainty Relations, 
Phys. Rev. Letters, vol. 60, 1988, pp. 1103-1106. 

6. M. Nielsen and I. Chuang, Quantum Computation and Quantum Information, 
Cambridge University Press, 2000. 

7. J. Sanchez-Ruiz, Improved bounds in the entropic uncertainty and certainty re- 
lations for complementary observables, Physics Letters A 201, 1995, pp. 125-131. 

8. W.K. WOOTTERS AND B.D. FIELDS, Optimal state- determination by mutually 
unbiased measurements, Annals of Physics 191, pp. 363-381. 



A Encryption Circuit for the W^i-Cipher 

The circuit depicted in Fig. 2 implements the encryption of any plaintext a = 
ai,...,a„ G {0,1}” according the secret key {c,k) G {0,1}^”. It uses three 
sub-circuits (1), (2), and (3) as defined in Fig. 1. 
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Fig. 1. Sub-circuits to the encryption circuit of Fig. 2. 



A, given c and a., produces the matrix c- a in the register denoted A. Notice 
that circuit A is a classical circuit. It can be implemented with 0{n^) classical 
gates. The sub-circuit (2) accepts as input a = c ■ a together with I, computes 
d = al G [0,...,3], and stores the result in a 2-qubit register I. In (3), an 
overall phase factor A is computed in front of the computational basis element |i). 
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Fig. 2. Encoding circuit for cipher Wn- 



The last gates allow to reset registers / and A making sure registers containing 
the encrypted data are separable from the other registers. It is straightforward 
to verify that registers initially in state |ai) 0 . . . 0 |a„) ends up in state 
required. The overall complexity is 0{v?) quantum gates since (3) requires only 
0{n^) CNOt’s which is of the same complexity as super-gate (2). In conclusion, 
the total numbers of gates is O(n^) out of which O(n^) are quantum. 
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Abstract. A completely insecure communication channel can only be 
transformed into an unconditionally secure channel if some information- 
theoretic primitive is given to start from. All previous approaches to 
realizing such authenticity and privacy from weak primitives were sym- 
metric in the sense that security for both parties was achieved. We 
show that asymmetric information-theoretic security can, however, be 
obtained at a substantially lower price than two-way security — like in 
the computational-security setting, as the example of public-key cryp- 
tography demonstrates. In addition to this, we show that also an un- 
conditionally secure bidirectional channel can be obtained under weaker 
conditions than previously known. One consequence of these results is 
that the assumption usually made in the context of quantum key distri- 
bution that the two parties share a short key initially is unnecessarily 
strong. 

Keywords. Information-theoretic security, authentication, information 
reconciliation, privacy amplification, quantum key agreement, reductions 
of information-theoretic primitives. 



1 Motivation and Main Results 

1.1 Realizing Unconditional Security from Other Primitives 

There are mainly two types of cryptographic security, namely computational 
and information-theoretic security. Systems of the first type can in principle be 
broken by adversaries with sufficient computing power; their security is based 
on the hardness of certain computational tasks — such as factoring large integers 
or computing discrete logarithms. However, no proofs can be given up to date 
for the security of such schemes. To make things even worse, the realization 
of a quantum computer would allow for breaking many presently-used systems 
efficiently. These facts serve as a strong motivation for the study of information- 
theoretically secure cryptography. Systems of this type are provably unbreakable 
even by computationally unlimited adversaries. Clearly, this is the most desir- 
able type of security — but it has its price [21], the exact determination of which 
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has been an open problem and subject to intensive study. Most generally speak- 
ing, this price is some information-theoretic primitive [15] I, such as shared keys 
that are fully [20], [8], [11] or partially random [9], [18] and secret [19], authen- 
ticated and/or noisy classical [22], [6] or quantum [1] communication channels, 
or correlated pieces of information [13]. 

In order to describe these previous — and our new — results on a conceptual 

level, we use the following “channel calculus” introduced in [16]. Here, A 

denotes an insecure communication channel from Alice to Bob, Au >B is 

an authentic channel from Alice to Bob (i.e., the exclusivity — represented by 

— sits on the sender’s side, whereas the actual security is on the receiver’s 
side: according to his view and knowledge, the message comes indeed from the 

legitimate sender), A <mB is a confidential channel (in the sender’s view, 

the channel’s output is accessible exclusively by the legitimate receiver), and 

the channel Au ^B offering both authenticity and confidentiality is called a 

secure channel. The bidirectional channel A*< *B, for instance, is authentic 

from Alice to Bob and confidential in the opposite direction. 

A number of previous results showed when and how an unconditionally secure 
channel can be obtained from completely insecure and from authentic but public 
channels, respectively. In [22], [6], [17], [19], examples of information-theoretic 
primitives I are given that allow for obtaining an unconditionally secure channel 
from completely insecure communication, i.e., for realizing the transformation 




whereas it was shown in [13], for instance, that the required primitive I' can gen- 
erally be much weaker if the communication channel is assumed to be authentic 
initially: 

A. fB \ 

A< »B I ^B . 

I' J 

Note that in the context of computational security, this latter channel transfor- 
mation is possible without any additional primitive I' (e.g., by using the Diffie- 
Hellman protocol [7]). In sharp contrast to this, unconditional authenticity alone 
is not sufficient for realizing unconditional confidentiality [13], [14], [17]. 

Clearly, a typical example of a primitive I which works in both of the above 
cases is a shared secret key of sufficient length. The question is whether much 
weaker primitives can be sufficient as well. More specifically, some of the open 
questions are the following. 

— All known examples of protocols achieving the above transformations do this 
via the generation of a shared private key. The generated (unconditional) 
security then sits on both sides of the channel (as shown in the diagrams 
above). Is it possible to realize unconditional security on only one end of the 
channel under weaker assumptions? In other words, what is the price for 
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realizing asymmetric^ unconditional security? What is the minimal price for 
an unconditional “•”? 

— Unconditional secret-key agreement protocols consist of different phases (such 
as interactive error correction, called information reconciliation, or privacy 
amplification) . The assumption is normally made that the public communi- 
cation channel over which these protocols are carried out is authentic. Which 
of these protocol steps do require authentic channels, and which do not? 

— If authentic channels are indeed necessary (such as in quantum key distri- 
bution), what is the minimal price (i.e., the weakest possible primitive) for 
obtaining them? 

In the present paper, we give answers to all three questions. First, we de- 
scribe a class of information-theoretic primitives I" that allow for obtaining 
unconditional asymmetric security, i.e., for realizing the transformation 




We show that such a primitive I" is generally not sufficient for obtaining a two- 
way secure channel, and that our class of primitives is optimal in the sense that 
weaker primitives do normally not allow for obtaining any information-theoretic 
security at all in the setting of completely insecure communication. Because 
of these two optimality results, one can say that we give the exact price for 
unconditional security, i.e., for realizing an unconditional which can be seen 
as an “atom of information-theoretic security” . 

Among the protocols used to achieve these results are methods for so-called 
information reconciliation (i.e., interactive error correction) not requiring au- 
thentic channels. Together with a similar result for privacy amplification [19], 
this implies that in many cases, information-theoretically secure key agreement 
protocols exist which do not require authentic channels at all. 

If, on the other hand, such authenticity is required for a protocol, it can be 
achieved under much weaker assumptions than previously believed. For instance, 
it has been a standard assumption in quantum key distribution that the process- 
ing of the key requires a short secret key to start with — therefore, quantum key 
agreement is sometimes said to be key expansion. We show that neither a short 
secret key [11] nor a partially secret common string [19] are required for quantum 
key distribution, but that much weaker assumptions are in fact sufficient. 

1.2 Main Results 

We now give the main results of this paper. We first introduce the entropy 
measures required to formulate them. (For an introduction to information theory, 
see, for instance, [5].) 

® Note that the term asymmetric is used here with respect to the high-level function- 
ality and not — as usual — with respect to the keys held by the parties. In spite of 
this difference, it is fair to say that we try to realize the functionality of public-key 
authentication and encryption, but in the setting of unconditional security. 
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Definition 1 Let X and Y be two random variables (with ranges X and 3^). The 
min-entropy Hoo{Y) of Y is^ Hoo{Y) := — log(maxj,gj;(Py (y))). The 0-entropy 
Hq{Y) is defined as Hq{Y) := log |{y G 3^ | Pv{y) > 0}|, and let 

^max(y|^) _ niax(iLo(T|X = a;)) . 

It has been shown in [19] that a common key S an arbitrarily large fraction 
of which (in terms of min-entropy) is known to the adversary is sufficient for 
obtaining two-way unconditional security. 

Previous Result. [19] Let Alice and Bob be connected by a completely insecure 
bidirectional channel and share a binary string S, whereas an adversary Eve 
knows a random variable U such that® 

H^{S\U = u) = f2(len(S')) 

holds (where u G U is the particular value known to Eve). Then Alice and Bob 
can obtain an unconditionally authentic and confidential bidirectional channel 
between each other.® 

In this paper, we show that unconditional security on only one side of the 
channel can be achieved at a substantially lower price; in particular, the parties 
are not required to share any common string initially. The following result and 
its tightness are shown in Sections 2 and 3. 

Asymmetric Result. Assume that Alice and Bob — who are connected by a 
completely insecure bidirectional channel — , and an adversary Eve know random 
variables X, Y, and U, respectively, such that 

H^{Y\U = u)~ Hr^{Y\X) = f2(log |3^|) (1) 

holds. Then Alice and Bob can obtain an unconditionally authentic channel from 
Alice to Bob and an unconditionally confidential channel from Bob to Alice. 

The length of the message which can be sent in a confidential way is (asymp- 
totically) equal to the expression on the left hand side of (1). It is shown in 
Section 3.2 that this is optimal. 

We also give a symmetric result which improves on the previous result above: 
Even a completely secure bidirectional channel can be obtained by parties not 
sharing a common string to start with. This is shown in Section 4. 



^ All logarithms in this paper are with respect to the base 2. 

® It is only for simplicity that we give asymptotic formulations of the previous and 
new results here. The involved hidden constants are small, and the protocols are 
useful already for relatively small values of n. 

® More precisely, the length of a message that can be sent in an almost-perfectly secret 
way, for instance, is (1 — o{l))Hao{S\U = u). 
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Symmetric Result. Assume that Alice and Bob — who are connected by a 
completely insecure bidirectional channel — , and an adversary Eve know random 
variables AT, F, and U, respectively, such that 

ma.x{H^{X\U = u),H^{Y\U = u)) - 

= f2(max(log|A’|,log|J^|)) 

holds. Then Alice and Bob can obtain an unconditionally authentic and confi- 
dential bidirectional channel between each other. 

In contrast to many previous secret-key agreement protocols, our protocols 
are not restricted to specific probability distributions but are universal in the 
sense that they work for any element in the class of distributions characterized 
by the given entropy conditions, where Alice and Bob do not have to know 
what the actual distribution is. Of course, such a condition is just one possible 
way of defining classes of distributions; it is a natural one, however, since a 
direct connection can be made to, for instance, an adversary’s memory space. In 
Section 3 it is shown that our protocols are — in their universality — optimal. 

Note that we have conditioned the involved random variables on an adver- 
sary’s knowledge C/ = u. Alternatively, our results can be interpreted as to 
concern the model of unconditional security from keys generated by correlated 
weak random sources (other examples of such results are given in [9] and [18]). 

If, on the other hand, F is a a priori uniformly distributed key and U 
is Eve’s information, then inequality (1) can be replaced by the — somewhat 
stronger — assumption 

Ho{U) + HS^^^Y\X) = (1 - f?(l)) log (2) 

because of Lemma 2 below. Condition (2) is directly comparable to related 
bounds and results in quantum cryptography since all the involved quantities now 
have natural “translations” on the quantum side: The entropy of the involved 
random variables can simply be replaced by the entropy of the corresponding 
quantum states. Bounds on these quantities naturally arise from bounds on the 
size of an adversary’s (quantum) memory [12], for instance. 

2 Asymmetric Unconditional Secnrity from Minimal 
Primitives 

2.1 Authentication Between Parties NOT Sharing a Common 
String 

The first ingredient for our protocols is an unconditional authentication method 
that is secure even between parties not sharing the same string; furthermore, 
none of the two parties’ initial strings has to be secret, the only condition being 
that a non- vanishing fraction of the receiver’s string is unknown to the adver- 
sary (in terms of min-entropy) . More precisely, we show that the interactive 
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authentication method presented in [19] — there in the context of parties sharing 
a partially secret key — has the following property: Under the sole condition that 
an adversary Eve is not fully aware of the receiver Bob’s string, the latter can 
receive authenticated messages from Alice: He will (almost) never accept if the 
message was not the one sent by Alice (whatever her string and Eve’s knowledge 
about it is). In other words, the protocol is secure also if Alice and Bob do not 
share the same key. More precisely, whereas they will only accept if their initial 
strings are identical — a fact that they enforce by interactive error correction — , 
Eve is unable to mount a successful active attack even if they are not. 

We review Protocol AUTH of [19] — using identical keys s there; here, we will 
later replace s by two not necessarily equal strings y and y' . For parameters 
k-l = n, let s = sollsill • • • l]sfc_i be the decomposition of the n-bit string s into 
l-hit substrings, interpreted as elements of GF{2^), and let, for x G GF(2*), 

k-l 

Ps{x) :=^s^• x'" (3) 

be the evaluation in x of the polynomial represented by s. Then the protocol 
consists of repeating the following three rounds: First, Alice — the sender of the 
message to be authenticated — sends a random challenge c' G {0, 1}* to Bob 
which he replies to by sending back the pair (ps(c'),c), where c G {0,1}* is 
another random challenge. Alice (after having checked the correctness of Bob’s 
message — if it is incorrect, she rejects and aborts the protocol) then sends a 
message bit and, if this bit is 1, the value Ps{c) to confirm. Under the assumption 
that an encoding of messages is used such that any insertion of a 0-bit (something 
Eve obviously can do) as well as any bit flip from 1 to 0 can be detected — because 
the resulting string is not a valid codeword — , this protocol was proven secure 
in [19]; more precisely, it was shown to be hard for Eve (having non- vanishing 
uncertainty in terms of min-entropy about S' = s) to respond to a challenge, 
made by one party, without being able to use the other as an oracle, and that 
this fact implies the security of the protocol. Furthermore, it was shown that 
an encoding of m-bit messages with the mentioned properties exists with code 
word length M = (1 -|- o(l))m. 

Below, we will show the security of this protocol — from the receiver’s point 
of view (like in one-way authentication) — even when the parties do not share the 
same string and under the only assumption that Eve has some uncertainty about 
Bob’s string {y). The main technical ingredient of this is Lemma 1, which implies, 
roughly speaking, that under the given conditions. Eve can, with overwhelming 
probability, either not respond to Alice’s challenges (c') or not to Bob’s (c) — even 
when given Alice’s string {y'). The intuitive reason for this is that it is either 
useless or impossible for Eve to (impersonate Bob and) talk to Alice — depending 
on whether her uncertainty about Alice’s string is small or not. Without loss of 
generality, we state and prove Lemma 1 with respect to deterministic adversarial 
strategies (given by the functions / and g). 
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Lemma 1 Let Y' and Y be two random variables with joint distribution Py'y 
and ranges y' = y = {0,1}*. Let f : {0,1}* ^ {0,1}* and g : {0,1}* x 
{0, 1}" ^ {0, 1}* be two funetions and, for uniformly — and independently of 
Y'Y — distributed random variables C and C with ranges {0, 1}*, let 

a-.= YvohY'YC'c[PY'{C) = f{C) and py{C) = g{C,Y')] , 
where P - {•) is the polynomial function (3). Then there exists y € y with 

PY{y)> . 



Proof. Let for every particular value y' G y' 



r 



y' 



Vroh c'[py {C) = f{C')] 



|{c'e{0,l}*b,.(c') = /(cQ}| 
2 * 



and for every pair (y, y') € y x y' 



ry\y, := Probe by (C) = g{C,y')] = 
Then we have 



\{cG{0,iy\py{c)=g{c,y')}\ 



2 * 



a = Yy'yVy' ■ rY\Y'] ■ 

Let us now consider the random experiment defined by 



( 4 ) 



PY'YC[ -C'^Ci -Ck '■= Py'Y ■ Pcp- C'^Ci -Ck . 



where Pc{ -C'f,Ci -Ck is the uniform distribution over the subset of ({0,1}*)^*' 
satisfying that all the C' and all the Ci are distinct among each other. We then 
have 



Probbv'(Ci) 

> Piy'y 

> Piy'y 

> Pjy'y 



= f(C[) for z = 1, . . . , /c and py (Ci) = g{Ci, Y') for z = 1, . . . , fc] 



ry/ • ry 



2 * 



. . . ry 



k-l 

2 * 



A; — 1 

• ty\y' • • • ( ty\y' ^ 



ry/ 



k-l 

2 * 



fc- 1 

ry,y/ - ^ 



^ry/ • ry|y/ - (ry/ + ry|y/) • > (^C 



■ 



( 5 ) 



The last inequality in (5) follows from the fact that x is & convex function 

and Jensen’s inequality [5], from (4), and from ry/,ry|y/ < 1. 

Let Ak be the event the probability of which is bounded in (5). Since, for 
X G {0, 1}", k values Px{c) (for k distinct c’s) uniquely determine x, we have, 
given that Ak occurs, that Y' is uniquely determined and Y is uniquely deter- 
mined given Y'; together, we get that there exist y' G y' and y & y such that 
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PY’Y\Akiy' tV) — hence PY{y) > Prob [Ak] for this particular value y. □ 

We will now state and prove the described property of the interactive au- 
thentication protocol AUTH (Theorem 3). This and other proofs in the paper 
make use of Lemma 2 (see [4], [17], [19]), which implies that when d (physical) 
bits of side information about a random variable are leaked, then its conditional 
min-entropy is not reduced by much more than d except with small probability. 

Lemma 2 [4], [17], [19] Let S, V , and W be random variables such that S 
and V are independent, and let b> 0. Then 

Pioh vw[H^{S\V = v,W = w) > H,^{S) -log\W\ - b] > 1 - 2"'’ . 



Theorem 3 Assume that two parties Alice and Bob know n-bit strings Y' and 
Y , respectively. Given that HaoiY\U = u) > tn holds for some constant 0 < 
t < 1, where U = u summarizes an adversary Eve’s entire knowledge, Alice can 
use Protocol AUTH to send authenticated messages of length m of order at most 
0(tn/{logn)^) to Bob by communication over a completely insecure channel. 
The probability of a successful active attack, which is the event that Bob accepts 
although the message he received is not the correct one (or although Alice rejects) 
is of order ihg other hand. Eve is passive and Y' = Y holds, 

then Alice and Bob accept with certainty and Bob receives the correct message. 

Proof. Let m be the length of the message Alice wants to send to Bob; the number 
of executions of the three-round step in Protocol AUTH is then M = (1-|-o(1))to. 

Since each party responds to at most M challenges during the protocol ex- 
ecution (and would then reject and abort), the min-entropy of Y , from Eve’s 
viewpoint, at any point of the protocol, given all the communication C = c she 
has seen, is, according to Lemma 2 (applied 2M times), at least 

H^(Y\U = u,C = c) >tn- 2Ml - 2Ma 

with probability at least 1 — 2M2~“. We conclude that there exist choices of the 
protocol parameters of order I = 0{n/M) and k = 0{M) — and a suitable choice 
of the auxiliary parameter a — such that we get the following: 

There exists /(n) = I7(n) with Prob [iLoo(U]U = u,C = c) < f{n)] < . 

( 6 ) 

As described above, a successful attack of the protocol implies that Eve has 
been able to answer a challenge generated by one of the parties without help 
from the other party (i.e., without receiving any message from the other party 
between receiving the challenge and sending the corresponding response). The 
first possibility is that a challenge of Alice is responded without Bob’s help; here, 
it is necessary for Eve to also answer at least one of Bob’s challenges successfully 
(an attack is successful only if Bob is fooled) — possibly with Alice’s “help”, 
however. Let therefore A be the event that Eve correctly responds to one of the 
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at most M challenges by Alice, and to one of Bob’s at most M challenges given 
Alice’s string Y' . According to Lemma 1, and because of the union bound, we 
have 

Prob [yt] < + 2fc/2') . 

Hence, because of (6), the success probability of this attack is at most 

^ 2-t2(n) _ 

(note that M/2' = and Af22-^("/'^) = hold since M = 

O {tn/ (log nY)). The second possibility of an attack is that a challenge of Bob is 
responded without Alice’s help. The probability of this is, because of (6) and by 
a similar but simpler reasoning as the one used above, of order The 

application of the union bound concludes the proof. □ 



2.2 Information Reconciliation over Unauthenticated Channels 

We will now use the described authentication protocol, and its new property 
established in the previous section, for the construction of a protocol for infor- 
mation reconciliation by completely insecure communication. Information rec- 
onciliation is interactive error correction: Two parties, knowing strings X and 
Y , respectively, should share a common string at the end (e.g., one of the initial 
strings). The idea is to use Protocol AUTH in such a way that the parties can 
detect active attacks at any point in the protocol. 

According to Lemma 4, the error correction itself can be done by exchanging 
redundancy, where the latter is generated by applying universal hashing^ to the 
input strings; this is efficient with respect to the required communication, but 
computationally inefficient for one of the parties (Alice in our case) . In the special 
but typical scenario where X and Y are bitstrings which differ in a certain limited 
number of positions, more efficient methods, based on concatenated codes [10], 
can be used instead in Protocol IR below. 

Lemma 4 Let X and Y he distributed according to Pxy such that Hg’’^’^{Y\X) < 
r holds. Let, for some integer s > 0, he a universal class of functions h : y ^ 
{0, 1}’’+^, and let H he the random variable corresponding to the random choice, 
independently of X and Y , of a function in H according to the uniform distri- 
bution. Then 

Prob [there exists Y ^Y with H{Y) = H{Y) and Py\x{Xj^) > O] < 2“® . 



A class TL of functions h : A ^ B is 2-universal — or universal for short — if, for all 
a, a' £ A, a A a' , we have \{h \ h{a) = h(a')}\ = |7-f|/|I?|. 



7 
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Proof. For x G X, let yx '■= {y & y \ PY\x{yiX) > 0}. We have \yx\ < 2’’. Since 
for any y^y & yx, y y, and random P[ G H the probability that H{y) = H{y) 
holds is at most 1/2'’+®, we have 

Prob y// [there exists Y G yx, Y Y, such that H{Y) = H{Y)] 

< \yx\- Prob [H{y) = H{y) for some y ^ y] < 2’’ • ^ 

by the union bound. The statement then follows when the expectation over X 
is taken. □ 

In Protocol IR, D and T are parameters to be determined below, and is a 
universal class of functions from {0, 1}" to {0, 1}+*. Furthermore, AUTHy/. y(M) 
means that the message M is sent using Protocol AUTH, where the “keys” used 
by the sender (Alice) and the receiver (Bob) are Y' and Y, respectively. 

Protocol IR (Information Reconciliation) 

Bob 

Y G {0,1}" 

H Gr n, 

H : {0,1}" ^{0,1}^ 

H, H{Y) 

Y' G yx with 
H{Y') = H{Y) 

R€r { 0 , 1 }^ 

compute py'{R) 

AVTHy',y{{R,Py'{R)) ) 

accept, Y' if py'{R) = py{R)' 

accept, Y 
otherwise: reject. 



Alice 

A G {0,1}" 



The content of the second message serves as a verification of whether the string 
Y' computed by Alice is correct. Clearly, it has to be authenticated because 
of possible substitution attacks. It is an interesting point that because of this 
authentication, Alice can choose the “challenge” string R herself: If the authen- 
tication is successful. Bob knows that R is indeed the challenge generated by 
Alice, and hence random. 

Note that although applied in a — symmetric — context where two parties 
want to generate a common secret key. Protocol IR is secure (for Bob) in the 
same — asymmetric — sense as the authentication protocol: Either everything goes 
well or Bob will know it did not (with high probability). 
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Theorem 5 Assume that two parties Alice and Bob know the value of a random 
variable X and an n-bit string Y , respectively, and that 

H^{Y\U = u)-H^^^{Y\X)>tn (7) 

holds for some constant 0 < i < 1, where U = u summarizes an adversary’s 
entire knowledge. Then Protocol IR (with suitable parameter choices) — carried 
out over a completely insecure channel — achieves the following. If Eve is passive, 
then Alice and Bob both accept and the string Y' computed by Alice is equal to 
Y except with probability general, it is true except with prob- 
ability ifiQi either Bob rejects or both accept and Y' = Y holds. 

Furthermore, the remaining conditional min-entropy of Y given Eve’s initial in- 
formation and the protocol communication is of order (1 — o(l))tn with probability 

2^ — {n / log n) 



Proof. Let us assume that Eve is passive. Let the parameter D be of order 
D = H(f’^’^(Y\X) + 6>(n/ logn). Then we have, according to Lemma 4, that 
Alice’s guess Y' — from X and H{Y) — is uniquely determined and hence correct 
except with probability 

Let us now consider the general case where Eve is possibly an active adver- 
sary. We first analyze the properties of the authentication of the confirmation 
message sent from Alice to Bob. Let the parameter T be of order T = 6>(y^). 
We will argue that with high probability, either Bob rejects or Alice and Bob 
both accept and the values {R,py'{R)) as received by Bob are the ones sent by 
Alice and, finally, that this implies that Y' = Y holds, i.e., that Alice and Bob 
share the same string, the min-entropy of which, from Eve’s viewpoint, is still 
(1 — o{\))tn. 

First, we get, using Lemma 2 with the parameter choice b = 0{n/ logn), 
that there exist functions f{n) = (1 — o{l))tn and g{n) = l7(n/logn) such that 

Pioh[H^{Y\U = u,H = h,H{Y) = h{y)) > f{n)] > 1 - . 

Because of this. Theorem 3 implies that the authentication works — even if, for 
instance. Eve had modified the error-correction information sent in the first 
message and knows Y' perfectly. The length of the message to be authenticated 
with Protocol AUTH is of order 0{ydn), and we choose the protocol parameter I 
to be Z = 0{y/n( log n) to make sure that the remaining min-entropy, given all the 
communication, is still an arbitrarily large fraction of tn. The success probability 
of the protocol is then, according to the proof of Theorem 3, 1 — 

Let us hence assume now that Bob actually received the correct message 
{R,Py'{R)) as sent by Alice. Since R are the truly random bits (in particular, 
independent of Y') chosen by Alice, and since Py{r) = Py'(r) can hold for at 
most deg{py) = n/T — 1 = 0{^/n) different values of r for any y' ^ y, we have 
that with probability 1 — either Alice has the correct string, or Bob 

realizes that she does not. 

Finally, the remaining min-entropy is still roughly the same with high prob- 
ability since the total number of bits sent is of order 0{n/ logn) = o{n). From 
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Lemma 2, we get that there exist f{n) = (1 — o{l))tn and g{n) = l7(n/logn) 
such that we have Prob [Hao{Y\U = u,C = c) > /(n)] > 1 — where C = c 
is the entire protocol communication. This concludes the proof. □ 

Remark. In Theorem 5 — as well as in Theorems 6, 7, and 8 and Corollary 9 
below — the assumed entropy bounds can be conditioned on an event A if at the 
same time the claimed protocol failure probabilities are increased by 1 — Prob [.4]. 
An example for which this can lead to substantially stronger statements is when 
the random variables X = (Ai, . . . , A„), Y = {Yi, . . . , P„), and U = (C/i, . . . , C/„) 
arise from n independent repetitions of a certain random experiment PxiYiUi- 
In this case, A can be the event that the actual outcome sequences are typical 
(see [5]). This is a good choice because A occurs except with exponentially (in 
n) small probability, and because 

H^{Y\U = u, A) « H{Yi\Ui) ■ n » H^{Y\U = u) 

and 

Ro“""(P|A, A) « H{Y,\Xi) • n < H'^’^^{Y\X) 
can hold. (See also Example 1 below.) 

2.3 The Price for One-Sided Authenticity and Confidentiality 

In [19], Protocol PA, allowing for privacy amplification over a completely inse- 
cure channel, was presented. Privacy amplification [3], [2] means to generate, 
from an only weakly secret shared string, a shorter but highly secret key. Pro- 
tocol PA — which uses Protocol AUTH as well as extractors as its main ingredi- 
ents — has been shown to extract virtually all the min-entropy of an arbitrarily 
weakly secret string. 

Theorem 6 [19] Assume that Alice and Bob both know the same n-bit string 
Y satisfying Hoo(Y\U = u) > tn for some constant 0 < t < 1, where U = u 
summarizes Eve’s entire information about Y. Then Protocol PA, using two-way 
communication over a completely insecure channel, has the following properties. 
Both Alice and Bob either reject or accept and compute strings Sa and Sb, 
respectively, such that if Eve is passive, then Alice and Bob accept and there exists 
a {1 — o{l))tn-bit string S that is uniformly distributed from Eve’s viewpoint and 
such that Sa = Sb = S holds except with probability general 

(i.e., if Eve is possibly active), either both parties reject or there exists a string 
S with the above properties, except with probability 

Putting everything together, we can now conclude that the combination of 
Protocols IR and PA achieves what we had stated initially, namely asymmetric 
unconditional security for Bob from a very weak initial primitive. Given that 
Bob accepts at the end of the protocol, he shares a secret key with Alice. He can 
then send unconditionally confidential messages to her and receive authenticated 
messages from her. 
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Theorem 7 Assume that two parties Alice and Bob know a random variable X 
and an n-bit string Y, respectively, and that Hao{Y\U = u) — H^^^(Y\X) > tn 
holds for some constant 0 < i < 1, where U = u summarizes an adversary’s 
entire knowledge. Then the combination of Protocols IR and PA, carried out 
over a completely insecure channel, achieves the following. Alice and Bob both 
either reject or accept and compute strings Sa and Sb, respectively, such that if 
Eve is passive, then Alice and Bob accept and there exists a {l — o{l))tn-bit string 
S that is uniformly distributed from Eve ’s viewpoint and such that Sa = Sb = S 
holds except with probability I . In general, either Bob rejects or Alice 

and Bob accept, and the above holds, except with probability *°s") ^ 

Proof. Follows from Theorems 5 and 6. □ 



3 Impossibility Results and Lower Bounds 

3.1 Two-Sided Security Requires Stronger Conditions 

All protocols presented in Section 2 are asymmetric in the sense that the gener- 
ated security is on Bob’s side only. (Alice, for instance, could be talking to Eve 
instead of Bob without realizing this.) Example 1 shows that security for Alice 
simply cannot be achieved under assumptions as weak as that. This implies that 
the price for unconditional security on one side is strictly lower than for such 
security on both sides. The same is already well-known in the computational- 
security model, as the example of public- key cryptography demonstrates. 

Example 1. Let X = {Xi, . . . , Xn) be a uniformly distributed n-bit string, and 
let Y = (Fi, . . . , Yn) and U = {Ui, . . . , [/„) be n-bit strings jointly distributed 
with X according to® 

n 

PyUlxHUl ) ■ ■ ■ ) Un), (wi , ... , Un), {xi, ... , Xn)) = s\ ' \duiXi £| (8) 

i=l 

for some 0 < £ < 1/2. Equation (8) means that the t-th bits of Y and U are 
generated by sending Xi over two independent binary symmetric channels with 
error probability e. 

Let now A be the event — which occurs except with exponentially (in n) 
small probability — that all the involved strings are typical sequences. Then we 
have, roughly,® Hoo(Y\U = u,A) ~ h{2e — 2e®)n and Hff^’^(Y\X,A) « h{e)n. 
Because of 2e — 2e® > e, the condition of Theorem 7 is satisfied. On the other 
hand. Bob has no advantage over Eve from Alice’s viewpoint since Eve is able 
to simulate [17] Bob towards Alice: She can generate a random variable from 
U — in fact, she can use U itself — which has the same joint distribution with X 
as Y does — Pxu = Pxy- Hence Alice will never be able to tell Bob and Eve 
apart. 

® Here, 5ij is the Kronecker symbol, i.e., 5ij = 1 A i = j and Sij — 0 otherwise. 

® We denote by h{p) the binary entropy function h{p) = — (plogp-l- (1—p) log(l —p)). 
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3.2 Optimality of the Achieved Secret-Key Length 

The protocols we have presented in Section 2 are universal and work for all 
possible specific probability distributions under the only assumption that the 
entropy condition (7) is satisfied. In other words, our protocols work for large 
classes of probability distributions, where Alice and Bob do not have to know the 
nature of Eve’s information, i.e., the particular distribution, but only that the 
corresponding entropy bound is satisfied. In this sense, our protocols are optimal: 
In many situations, no protocol can extract a longer secret key — even when 
the communication channel is assumed authentic. (It should be noted, however, 
that there are specific settings in which key agreement by authenticated public 
communication is possible even though the expression in (7) is negative [13].) 

This can be illustrated with the setting where Bob’s random variable Y is 
uniformly distributed (also from Eve’s viewpoint) and Alice’s X provides her 
uniformly with deterministic information about Y : For every value x it can 
take, Py\x=x is the uniform distribution over the set \yx\ of size |3i’|/|T| (and 
these sets are disjoint for different values of A). After the execution of a key- 
agreement protocol, Alice has to know (with overwhelming probability) the key 
S generated by Bob. Eve, on the other hand, should be (almost) completely 
ignorant about it. Clearly, this can be satisfied only if there are at least as many 
possible values Alice can initially have as possible keys. Therefore, we always 
have, roughly, |5| < |A| = |3f|/|3^a:|, and hence 

len(5) « log |5| < log - log = H^{Y) - H^^^{Y\X) . 

4 Two-Way Security Under New and Weaker 
Assumptions 

In this section we determine the price for achieving unconditional security for 
both Alice and Bob. The conditions we will find are weaker than the ones known 
previously (such as, for instance, a highly insecure but common string [19]). 

We first give Protocol IR-I-, an extension of Protocol IR offering security also 
for Alice. After the first two protocol steps, which are the same as in Protocol IR, 
Alice sends error correction information H'{X) about her initial string X (here, 
H' is from a universal class Ti' with suitable parameters) to Bob, who then 
uses his “estimate” X' of X as the authentication key for sending a challenge- 
response pair for Y. If Alice receives this correctly, and if it corresponds to the 
value py' {R') she can compute herself, she can be convinced that Y' = Y holds. 
The crucial observation for proving Theorem 8 is that the given entropy condition 
on Y also implies that Eve, having seen all the error-correction information and 
other messages, still has f2{n) of min-entropy about X — because the same holds 
for Y. The reason is that given all the protocol communication, Y can — with 
overwhelming probability — be computed from X , and vice versa. 
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Protocol IR+ (Two-Secure Information Reconciliation) 

Alice Bob 

ag{o,i}" fg{o,i}" 

H Gr n, 

i7: {0,1}" ^{0,1}^ 

H, H{Y) 

Y'Gyx 

with H(Y') = H(Y) 

R€r {0,1}^ 
compute py'{R) 

AUTHy..y((fl,py>(j?)) ) 

H' Gr W, 

H' : (0, 1}" ^ (0, 1}^' if py'{R) ^ Py{R)- reject 

H', H'{X) 

X' G Ay 

with H'{X') = H'{X) 

R' Gr {0,1}^ 
AUTHxGx((i?',PF(i?')) ) 

if py(i?') yf py'{R')' reject 

otherwise: accept, Y' accept, Y. 



Theorem 8 Assume that two parties Alice and Bob know n-bit strings X and 
Y , respectively, and that 

H^{Y\U = u)~ H^^^{Y\X) - > tn 

holds for some constant 0 < t < 1, where U = u summarizes an adversary’s 
entire knowledge. Then Protocol IR+ (for suitable parameter choices) — carried 
out over a completely insecure channel — achieves the following. If Eve is passive, 
then Alice and Bob both accept and the string Y' computed by Alice is equal to Y 
except with probability In general, it is true except with probability 

2 -i 2 (vn/iogn) either both parties reject or Y' = Y holds. Furthermore, the 
remaining min-entropy of Y given Eve’s initial information and the protocol 
communication is of order (1 — o(l))tn with probability 1 — 

Proof. Follows from Theorem 5, Lemma 4, and Theorem 3. □ 



Corollary 9 Assume that two parties Alice and Bob know n-bit strings X and 
Y , respectively, and that 



H^{Y\U = u)~ H'^’^’^{Y\X) - > tn 
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holds for some constant 0 < i < 1, where U = u summarizes an adversary’s 
entire knowledge. Then the combination of Protocols IR+ and PA, carried out 
over a completely insecure channel, achieves the following. Alice and Bob both 
either reject or accept and compute strings Sa and Sb, respectively, such that if 
Eve is passive, then Alice and Bob both accept and there exists a {1 — o{l))tn- 
bit string S that is uniformly distributed from Eve’s viewpoint and such that 
Sa = Sb = S holds except with probability ). In general, either both 

parties reject or there exists a string S with the above properties, except with 
probability . 



Proof. Follows from Theorems 8 and 6. □ 

5 Concluding Remarks 

In this paper we have determined, so to speak, a minimal price for uncondi- 
tional security. For two parties connected by a completely insecure bidirectional 
communication channel, we have described the weakest possible information- 
theoretic primitive necessary for obtaining security on one end of the chan- 
nel — i.e., guaranteed exclusivity of read and write access to the channel on its 
other end. Roughly speaking, we found that whenever Eve’s uncertainty about 
the information of the party at one end of the channel exceeds the uncertainty 
about the same information as seen by the party at the channel’s other end, then 
the entire entropy difference can be transformed into a key which is secret for 
the former party. This asymmetric notion of security for one party means that 
either the two parties share a secret key, or this — designated — party knows that 
they do not. 

One of the consequences of our protocols is that the required conditions for 
the possibility of secret-key agreement in general, and quantum key distribution 
in particular, can be relaxed substantially: Quantum key agreement has some- 
times been perceived to be rather key extension than actual key generation in 
view of the usually-made assumption that the two parties share a short uncondi- 
tionally secret key already initially, from which they can then produce a longer 
key (where the initial key is required for authenticating the public communica- 
tion exchanged for processing the raw key) . Our results show that this condition 
is unnecessary and can be replaced by a much weaker assumption. 
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Abstract. In the bounded-storage model (BSM) for information-theo- 
retically secure encryption and key-agreement one uses a random string 
R whose length t is greater than the assumed bound s on the adversary 
Eve’s storage capacity. The legitimate parties Alice and Bob share a short 
initial secret key K which they use to select and combine certain bits 
of R to obtain a derived key X which is much longer than K. Eve can 
be proved to obtain essentially no information about X even if she has 
infinite computing power and even if she learns K after having performed 
the storage operation and lost access to R. 

This paper addresses the problem of generating the initial key K and 
makes two contributions. First, we prove that without such a key, se- 
cret key agreement in the BSM is impossible unless Alice and Bob have 
themselves very high storage capacity, thus proving the optimality of 
a scheme proposed by Cachin and Maurer. Second, we investigate the 
hybrid model where K is generated by a computationally secure key 
agreement protocol. The motivation for the hybrid model is to achieve 
provable security under the sole assumption that Eve cannot break the 
key agreement scheme during the storage phase, even if afterwards she 
may gain infinite computing power (or at least be able to break the key 
agreement scheme). In earlier work on the BSM, it was suggested that 
such a hybrid scheme is secure because if Eve has no information about 
K during the storage phase, then she has missed any opportunity to 
know anything about X, even when later learning K. We show that this 
very intuitive and apparently correct reasoning is false by giving an ex- 
ample of a secure (according to the standard definition) computational 
key-agreement scheme for which the BSM-scheme is nevertheless com- 
pletely insecure. One of the surprising consequences of this example is 
that existing definitions for the computational security of key-agreement 
and encryption are still too weak and therefore new, stronger definitions 
are needed. 
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European Communitiy Research Training Network (“GAMES” contract HPRN-CT- 
2002-00283), and by the Foundation for Polish Science (FNP). 



C. Cachin and J. Camenisch (Eds.): EUROCRYPT 2004, LNCS 3027, pp. 126—137, 2004. 
(c) International Association for Cryptologic Research 2004 




On Generating the Initial Key in the Bounded-Storage Model 



127 



1 Introduction 

In the bounded-storage model (BSM) for information-theoretically secure en- 
cryption and key-agreement one can prove the security of a scheme based on the 
sole assumption that the adversary’s storage capacity is bounded, say by s bits, 
even if her computing power is unlimited. Assume that a random t-bit string R 
is either temporarily available to the public (e.g. the signal of a deep space radio 
source) or broadcast by one of the legitimate parties. If s < t, then the adver- 
sary can store only partial information about R. The legitimate parties Alice and 
Bob, sharing a short secret key K initially, can therefore potentially generate a 
very long n-bit one-time pad X with n ^ \K\ about which the adversary has 
essentially no information. 

1.1 Definition of the Bounded- Storage Model 

We define the bounded-storage model for key-expansion (and encryption) more 
formally. Alice and Bob share a short secret initial key K, selected uniformly 
at random from a key space 1C, and they wish to generate a much longer n-bit 
expanded key X = (Ai, . . . , A„) (i.e. n ^ log 2 |/C|). 

In a first phase, a t-bit random string R is available to all parties, i.e., the 
randomizer space is TZ = {0,1}*. For instance, R is sent from Alice to Bob or 
broadcast by a satellite. In fact, R need not be uniformly random, it suffices to 
know a lower bound on the min-entropy Hao{R) of R. Alice and Bob apply a 
known key-expansion function 

/ : X /C ^ (0, 1}” 

to compute the expanded (or derived) key as A = f{R,K). Of course, the 
function / must be efficiently computable and based on only a very small portion 
of the bits of R such that Alice and Bob need not read the entire string R. 

Eve can store arbitrary s bits of information about R, i.e., she can apply an 
arbitrary storage function 

h-.n^u 

for some U with the only restriction that \IA\ < 2®.^ The memory size during 
the evaluation of h need not be bounded. The value stored by Eve is U = h{R). 
After storing U, Eve loses the ability to access R. (This is also referred to as the 
second phase.) All she knows about i? is U. In order to prove as strong a result 
as possible, one assumes that Eve can now even learn K, although in a practical 
system one would of course keep K secret. This strong security property will be 
of special importance in this paper. 

A key-expansion function / is secure in the bounded-storage model if, with 
overwhelming probability. Eve, knowing U and K, has essentially no information 
about A. More precisely, the conditional probability distribution Px\u=u,K-k is 

® Since for every probabilistic strategy there is a best choice of the randomness, we 
can without loss of generality consider only deterministic adversary strategies. 
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very close to the uniform distribution over the n-bit strings, with overwhelming 
probability over values u and k. Hence X can be used as a secure one-time pad. 
Of course the security of / depends on Eve’s memory size s. 

1.2 The Subject of this Paper and Previous Results 

The bounded-storage model was proposed initially in 1992 [15], but the really 
strong (and essentially optimal) security results were proved only recently in a 
sequence of papers [2,1,10,11,14,17]. The first security proof for general storage 
functions h was obtained by Aumann and Rabin [2], but only for n = 1 (i.e., 
for a scheme in which the derived key X is much shorter than the initial key) 
or for s t (i.e., when the size of the memory of the adversary is much smaller 
than the length of the randomizer). The first fully general security proof was 
given in [11]. Lu [14] and Vadhan [17] showed that a special type of randomness 
extractor can be used to construct secure schemes, also improving on the size of 
the initial key K. 

In all these papers one assumes that Alice and Bob initially share a secret key 
K, usually without considering how such a key K is obtained by Alice and Bob. 
In this paper we address the problem of generating this key K and investigate 
how this key generation process relates to the security proof of the BSM. We 
discuss the two most natural approaches to generating K, in a setting where 
Alice and Bob are connected only by an authenticated communication channel, 
without a trusted third party that initially distributes the key K . 

The first approach is to generate K within the context of the BSM itself or, 
equivalently, to perform key agreement in the BSM without sharing any secret 
key K initially. This approach was discussed by Cachin and Maurer in [3] where 
a scheme was proposed in which both Alice and Bob need storage on the order of 
^/t. More precisely, they each store a random subset (with pairwise independent 
indices) of the bits of R and, after R has disappeared for all parties, publicly 
agree on which bits they have both stored. With very high probability. Eve has 
only partial information about these bits, and therefore Alice and Bob can apply 
privacy amplification (i.e., randomness extraction using a strong extractor with 
a public extractor parameter) to distill an essentially perfect key X, which they 
can then use as a one-time pad. We show (Section 3) that the protocol of [3] is 
essentially optimal (in terms of the ratio between the storage size of the honest 
parties and the adversary) if s is on the order of t. Since the storage requirement 
of ^/t (which is also on the order of -\/s) bits for Alice and Bob may be too high 
for a reasonable storage bound s for Eve, the practicality of this approach is 
questionable. 

The second approach is to generate AT by a computationally secure key- 
agreement protocol, for instance based on the Diffie-Hellman protocol [7]. At 
first, this approach may appear to be completely useless since the provable 
information-theoretic security of the BSM-scheme would be lost: A computation- 
ally unbounded adversary could break the computational key-agreement proto- 
col and then play the role of either Alice or Bob, with the same (small) storage 
requirements. However, at second sight, this approach is quite attractive as it 
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allows to preserve the security of the key agreement protocol, which is only com- 
putational, even if the adversary can later break it and even if she gains infinite 
computing power. 

It was claimed in [1] (Section IV B) (also, less formally in [10] (p. 5), [9] 
(p. 11) and [14] (p. 2)) that this implies the security of the hybrid scheme, for 
the following reason. Let T be the transcript of the key agreement protocol. 
The adversary has (computationally) no information about K, given T, when 
performing the storage operation. More precisely, she could not distinguish K 
from a truly random and independently generated key (as in the pure BSM). 
Therefore she could just as well forget T and generate a random key K himself, 
in which case she obviously has no advantage over the pure BSM setting. Since 
in this setting Eve learns K anyway after finishing the storage operation, it does 
not hurt in the computational setting if Eve can now break the key-agreement 
scheme and compute K (from T). Note that all the remaining aspects of the 
security proof are entirely information-theoretic. 

It may come as a surprise that this reasoning is false, as is proved in Section 4. 
More specifically, we give an example of a computationally secure (according to 
the standard definition) key-agreement scheme which, when used to generate 
K in the BSM context, renders the latter completely insecure. This shows that 
security arguments in a mixed computational/information-theoretic context can 
be very subtle. More interestingly, it demonstrates that existing definitions for 
the computational security of key-agreement and encryption are still too weak. 
Therefore new, stronger definitions are needed. 

2 Preliminaries 

The treatment in this paper is intentionally quite informal, but it is obvious how 
all aspects could be formalized in the traditional manner used in cryptography. 
The computation of a party (or algorithm) can be modelled by a probabilistic 
Turing machine, a protocol for two parties can be modelled as two interactive 
Turing machines, cryptographic primitives (such as key agreement) can be mod- 
elled as an asymptotic family with a security parameter, efficient can be defined 
as polynomial time, and negligible can also be defined in the traditional manner. 



2.1 Secure Key- Agreement 

A key-agreement scheme is a protocol between two parties Alice and Bob, at 
the end of which each party computes the same key K G K, (with overwhelming 
probability), for some key space JC. Let T be the transcript of the protocol, i.e., 
the entire list of exchanged messages. Throughout the paper, we consider security 
against passive attacks, i.e., we assume that Alice and Bob can communicate over 
an authenticated channel. This is sufficient to illustrate our point, but note that 
security definitions for key-agreement are much more subtle in a setting with an 
active adversary who can tamper with messages exchanged between Alice and 
Bob. 
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A key-agreement scheme is computationally secure if no efficient distin- 
guisher, when given T, can distinguish K from a key K' chosen independently 
and uniformly at random from the key space /C, with non-negligible advantage. 
For example, the computational security of the Diffie-Hellman key-agreement 
protocol [7] is equivalent to the so-called Decision-Diffie-Hellman assumption. 

A computationally secure key-agreement scheme can also be obtained from 
any semantically secure public-key encryption scheme: Alice selects a random 
key K G 1C and sends it to Bob, encrypted with Bob’s public key. 

2.2 Private Information Retrieval 

The idea of private information retrieval (PIR) was introduced in [4]. A PIR 
scheme is a protocol for two parties, a user U and a database D, allowing the 
user to access database entries in a way that D cannot learn which information 
U requested. More precisely, the database content can be modelled as a string 
X = {xi, . . . ,xi) e {0, 1}*, and [/ wants to access the ith bit Xi of x, for some 
i G {1, ...,!}, such that D does not learn f. It is not relevant whether U learns 
more than a;,. 

A trivial solution to this problem is that D sends all bits x\,. . . ,xi to U, 
allowing U to pick the bits he wants. The purpose of PIR protocols is to reduce 
the required communication. Depending on the protocol, the secrecy of i can be 
computational or information-theoretic. In this paper we consider computation- 
ally secure PIR protocols [13]. 

A typical PIR protocol proceeds in three stages. First, U sends a query, 
depending on i. Let Q{i) denote the query for index i. Second, D computes the 
reply TZ{Q{i),x) and sends it to U. Third, U extracts Xi from TZ{Q{i),x). The 
scheme is computationally private if no efficient distinguisher can distinguish 
Q(i) from Q(i'), for any i,i' G {1, , /}. 

In this paper we need an additional property of the PIR scheme, namely 
that Xi is determined by i, Q(i), and 7Z(Q(i),x) (even if it cannot be efficiently 
computed). Note that in a PIR scheme, U typically holds a secret key which 
allows to extract Xi efficiently from i and 7Z(Q(i), x). 

A well-known PIR scheme proposed in [13] makes use of the homomor- 
phic property of the quadratic residues and the computational difficulty of the 
quadratic residuosity problem. More precisely, U generates an RSA modulus 
n = pq. The string (xi, ... ,xi) is divided into v = \l/t] blocks of length t, for 
some t. Let 1 < j < t be the index of Xi within its block. The query Q(i) con- 
sists of a list (yi,. . . , yt) of t elements of all (independent) random quadratic 
residues, except for yj which is a random quadratic non-residue with Jacobi sym- 
bol 1. The database’s reply consists of v elements in Z*, one for each of the v 
blocks, where for each block D computes the product of all the ym corresponding 
to I’s in the block. More precisely, TZ{Q{i),x) consists of one element of for 
each block, where for the first block {xi,. . . , Xt) the value is 
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for the second block it is 01=1 similarly for the other blocks. Let 

m G {1, . . . , v} be the index of the block to which Xi belongs. It is easy to see 
that a;i = 0 if and only if the reply for the mth block is a quadratic residue. 
Clearly this can be efficiently checked by the user U (who knows p and q) . Note 
that the user ignores all other received values not relevant for obtaining Xi. The 
communication complexity of this scheme is as follows: The query consists of t 
elements of Z* and the reply consists of v elements of Z*. A reasonable trade-off 
is to let t « \/I. 



3 Limitations of Key-Agreement in the BSM 



3.1 The Setting 

In this section we consider the BSM without an initially shared secret key be- 
tween Alice and Bob. In this setting, in the first phase when R is available 
to all parties, Alice and Bob may use a randomized strategy (where the ran- 
dom strings of Alice and Bob are independent and denoted as Ra and Rb, 
respectively) to execute a protocol resulting in transcript T, and to each store 
some information about R. Alice stores Ma = /a(A,T,Ra), and Bob stores 
Mb = fB{R,T,RB), for some functions Ja and /b- Eve also stores some infor- 
mation Me = fsiR, T, Re) about R, for some random string Re- 

In the second phase, when R has disappeared, Alice and Bob execute a 
second (probabilistic) protocol based on the stored values Ma and Mb, resulting 
in a second transcript T' and in both computing the key K."^ The security 
requirement is that Eve must have only a negligible amount of information about 
K, i.e., I{K] MeT') k, 0. In fact, for the sake of simplicity, we assume here that 
Eve should obtain zero information about K, i.e., 

I{K;MeT') = 0, 



but the analysis can easily be generalized to a setting where Eve is allowed to 
obtain some minimal amount of information about K . The lower bound result 
changes only marginally. 

We prove the following result, which shows that the practicality of such an 
approach without shared initial key is inherently limited. Alice or Bob must have 
storage capacity y/s. The proof is given in Section 3.3. 



Theorem 1. For any key- agreement protocol secure in the BSM with no initial 
key for which I{K; MeT') = 0, the entropy H{K) of the generated secret key K 
is upper hounded by 



H{K)< 



SASb 



s 

where and sb are the storage requirements for Alice and Bob, respectively, 
and s is the assumed storage bound for Eve. 



^ Here we assume that Alice and Bob generate the same key K, but this is of course a 
requirement of the scheme. The results can easily be generalized to a setting where 
the two key values must agree only with high probability. 
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We note that this bound also implies a bound on the memory of the adversary 
in the protocol for the oblivious transfer in the bounded-storage model.® Namely, 
if the memory of the honest parties is then the memory of a cheating party 
has to be much smaller than s\. This shows that the protocol of [8] is essentially 
optimal and answers the question posted in [8,9]. 

3.2 The Cachin-Maurer Scheme 

Indeed, as shown in [3], key agreement can be possible in such a BSM setting 
where Alice and Bob share no secret initial key . In this scheme, Alice and Bob 
each stores an (independent) random subset (with pairwise independent indices) 
of the bits of R. After R has disappeared for all parties, they publicly check which 
bits they have stored. Eve has only partial information about these bits (with 
overwhelming probability), no matter what she has stored. Therefore Alice and 
Bob can use privacy amplification using an extractor to distill an essentially 
perfect key K. 

In this scheme, due to the birthday paradox, the number of bits stored by 
Alice and Bob must be greater than \/i since otherwise the number of bits known 
to both Alice and Bob would be very small with high probability. This also shows 
that for s on the order of t, the scheme of [3] has parameters close to the lower 
bound given by Theorem 1.® 



3.3 Proof of Theorem 1 



We first need the following information-theoretic lemma. 

Lemma 1. Consider a random experiment with random variables Y,Z,Zi, 
. . . ,Zn such that conditioned on Y , the variables Z, Zi, . . . , Zn are independent 
and identically distributed, i.e., 



n 

PzZi,...,z„\y{z, Zi , . . . , Zn , y) = Pz\Yiz,y)Y[Pz\Y{z^,y) 

i=l 



for all y, z, zi, . . . , Zn and for some conditional probability distribution Pz\y- 
Then 



I{Y;Z\Zi---Zn) < 



H(Y) ^ 
n -I- 1 



7 



® This is because there exists a black-box reduction of the key-agreement problem to 
the oblivious transfer problem [12]. (It is easy to see that the reduction of [12] works 
in the bounded-storage model.) 

® It should be mentioned that the security analysis given in [3] is quite weak, but this 
could potentially be improved by a better scheme or a tighter security analysis. 

^ In other words, Z, Zi, . . . , Z„ can be considered as being generated from Y by sending 
Y over n + 1 independent channels specified by Pz\y, i-e., 



Pz\Y{z,y) = PzpY(z,y) = • • • = Pz„\Y(z,y) 



for all y and z. 
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Proof. The random experiment has a strong symmetry between the random 
variables Z, Zi, . . . , Zn, both when considered without Y, and also when con- 
sidered conditioned on Y . Any information-theoretic quantity involving some of 
the random variables Z, Zi, . . . , Z„ (and possibly Y) depends only on how many 
of these random variables occur, but not which ones. Let therefore H{u) denote 
the entropy of (any) u of the random variables Z, Zi, . . . , Zn- Similarly, we can 
define H{u\v) as the conditional entropy of u of them, given any other v of them. 
The quantities H{Y,u\v), H{u\Y,v), and I{Y]u\v) can be defined analogously. 
We refer to [5] for an introduction to information theory. 

In this notation, the lemma states that 



/(i";l|n)< 



H{Y) _ 
n -I- 1 



The chain rule for conditional information® implies that 



n 



/(y;n+l) = ^/(F;l|z). 

7=n 


(1) 


We next show that 


7(y;l|z) </(r;l|f-l). 

This can be seen as follows: 


(2) 



I{Y; l|f - 1) - I{Y] l|t) = H{Y, f - 1) -f H{i) - H{Y, i) - H{i - 1) 

~{H{Y, i) + H{i -f 1) - H{Y, t -f 1) - H{i)) 
= 2H{i)~ H{i + l) 

' V " 

- (2iL(y, i) - H{Y, i-1)- H{Y, i + 1)) 

' V " 

7(l;l|y,i-l)=0 

> 0 



The first step follows from 

I{U; V\W) = H{UW) + H(yW) - H{UVW) - H{W), 

the second step by rearranging terms, and the last step since /(l;l|z — 1) > 0 
but /(I; l\Y,i — 1) = 0. This last fact follows since when given Y, any disjoint 
sets of Z-variables are independent. 

Now using I{Y;n+ 1) < H{Y) and combining (1) and (2) completes the 
proof since the right side of (2) is the sum of n -I- 1 terms, the smallest of which 
is I{Y] l|n). □ 

® Recall that the chain rule for information (see eg. [5], Theorem 2.5.2) states that for 
arbitrary random variables V\, . . . ,Vn, and U we have 

n 

7(f7; Ki, . . . , K) = ^ I(U-, VlIVl-i, . . . , Ki) 

i=l 
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To prove Theorem 1, recall that sb and s, are the storage capacities of 
Alice, Bob, and Eve, respectively. We have to specify a strategy for Eve to store 
information (i.e., the function /^;). Such an admissible strategy is the following: 
For the fixed observed randomizer R = r and transcript T = t, Eve generates 
[s/sbJ independent copies of what Bob stores, according to the distribution 
PAiB\R=r,T=t- In other words. Eve plays, independently, [s/sbJ times the role 
of Bob. We denote Eve’s stored information (consisting of f3 parts) as Me- The 
above lemma implies that 



I{Ma-,Mb\Me) < 



H{Ma)_ ^ H{Ma) ^ 



+ 1 



The last step follows from H{Ma) < s^. Now we can apply Theorem 3 in [16] 
which considers exactly this setting, where Alice, Bob, and Eve have some ran- 
dom variables Ma, Mb, and Me, respectively, jointly distributed according to 
some distribution PmaMbMb- Th® theorem states that the entropy of a secret 
key K that can be generated by public discussion is upper bounded as 

H{K) < YniYi{l{MA-,MB),I{MA-,MB\ME)), 
i.e., in particular by I{Ma] Mb\Me)- This concludes the proof. □ 



4 The Hybrid Model 

As described in Section 1.2, some authors have suggested that one can securely 
combine the BSM with a (computationally secure) public-key agreement scheme 
KA used to generate the initial key K. We call this model the hybrid model. The 
motivation for the hybrid model is to achieve provable security under the sole 
assumption that Eve cannot break the key agreement scheme during the storage 
phase, even if afterwards she may gain infinite computing power, or for some 
other reason might be able to break the key agreement scheme. The BSM can 
hence potentially be used to preserve the security of a computationally secure 
scheme for eternity. The reason is that because if Eve has no information about 
K during the storage phase, she has missed any opportunity to know anything 
about the derived key X, even if she later learns K . Note that in the standard 
BSM Eve learns K by definition, but in the hybrid scheme she may at a later 
stage learn it because she can possibly break the key agreement scheme based 
on the stored transcript. 

We show that this very intuitive and apparently correct reasoning is false 
by giving an example of a secure (according to the standard definition) compu- 
tational key-agreement scheme for which the BSM-scheme is nevertheless com- 
pletely insecure. 

The hybrid model can be formalized as follows. During the first phase. Eve 
is computationally bounded (typically a polynomial bound) , and Alice and Bob 
carry out a key agreement protocol, resulting in transcript T . Eve performs an 
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efficient computation on R and T (instead of performing an unbounded compu- 
tation on R alone), and stores the result U of the computation (which is again 
bounded to be at most s bits). Then she loses access to R and obtains infinite 
computing power. Without much loss of generality we can assume that she stored 
T as part of U and hence she can now compute K . 

Theorem 2. Assume that a computationally secure PIR scheme^ exists, and 
assume its communication complexity is at most l"^^^ , where I is the size of the 
database. Then there exists a key-expansion function f secure in the standard 
BSM but insecure in the hybrid model, for the same bound on Eve’s storage 
capacity. 

Clearly, the scheme of [13] (described in Section 2.2) satisfies the requirements 
stated in the theorem. The key-expansion function / (whose existence we claim 
in the theorem) can be basically any key-expansion function proven secure in 
the literature. 

Proof (of Theorem 2). We are going to construct a (rather artificial) key agree- 
ment scheme KA such that / is not secure in the hybrid model. To construct 
KA we will use an arbitrary computationally secure key agreement scheme KA^ 
In [12,6] it was shown that the existence of computationally secure PIR schemes 
implies the existence of a key agreement scheme. Therefore we can assume that 
such a scheme exists (since we assume a secure PIR scheme). It is also reason- 
able to assume that the communication complexity of this scheme is small when 
compared to the size of the randomizer. One can also have in mind a concrete 
key-agreement scheme, for instance the Diffie-Hellman protocol, in which case 
the transcript consists of g’” and g"^ (for x and y chosen secretly be Alice and 
Bob, respectively) and the resulting shared key is g’”'^ . This protocol is secure 
under the so-called decision Diffie-Hellman assumption. 

Let us fix some PIR scheme. For the key-expansion we will use an arbitrary 
function / (secure in the BSM) with the property that the number m of bits 
accessed by the honest parties is much smaller than the total length t of the 
randomizer, say m < (without essential loss of generality as any practi- 
cal scheme satisfies this). We assume that / is secure in the BSM against an 
adversary who can store at most s = t/2 bits. An example of a function sat- 
isfying these requirements is the function / of [11] (for a specific choice of the 
parameters). 

In our scenario Eve will be able (at the end of the second phase) to recon- 
struct each bit accessed by the honest parties. The basic idea is to execute m 
times independently and in parallel the PIR query protocol. More precisely the 
protocol KA is defined as follows: 

1. Alice and Bob invoke the given key-agreement scheme KAb Let K be the 

agreed key and let T' be the transcript of the key agreement scheme. 

® as defined in Section 2.2 
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2. Let K\, . . . , Km be the indices of the bits in the randomizer that are accessed 
by the parties (for the given initial key K and the BSM scheme /). Alice 
sends to Bob a sequence Q{ki), . . . , Q{Km) of m PIR queries, where each 
query is generated independently (with fresh random coins). 

3. Alice and Bob (locally) output K as their secret key. 

It is not hard to see that the security of KA' and the privacy of PIR imply 
the security of KA. Step 2 is an artificial extension of KA' needed to make the 
resulting scheme insecure in the hybrid BSM, i.e., to encode into the transcript 
some useful information that can be used by Eve. Her strategy (for a given tran- 
script of KA and a randomizer R) is as follows. In the first phase she computes 
the answers to the queries (,, acting” as a database). She does not send them 
anywhere, but simply stores them in her memory. She also stores the queries 
and the transcript T' of the key-agreement scheme KA^ In other words: 

u := m{Ki),n{Q{Ki),R)),...,{Q{Km),n{Q{Km),R),T). 

(where R denotes the randomizer). Since the PIR is efficient, so is Eve’s compu- 
tation. Because of the communication efficiency of the PIR scheme and of the 
key-agreement protocol KA', the length of U is at most m ■ which is 

at most ^i/4+2/3 _|_ Since \T\ is much smaller than t, this value has to be 
smaller than s = ^ • t for sufficiently large t. 

In the second phase the adversary can easily compute (from T') the value of 
K and therefore she can obtain k\, . ■ ■ , Km- For every i she also knows {Q{Ki, R)), 
thus she can (using the unlimited computing power) compute the bit of R at 
position Therefore she can compute the value of f{K,R). □ 

5 Discussion 

One of the surprising consequences of Theorem 2 is that existing definitions 
for the computational security of key-agreement and encryption are too weak 
to cover settings in which the adversary’s computing power may change over 
time, as is the case in real life. We thus need a new security definition of a key- 
agreement scheme and a public-key cryptosystem which implies, for example, the 
security in the BSM, as discussed above. It is quite possible that existing schemes 
such as the Diffie-Hellman protocol satisfy such a stronger security definition, 
and that only artificial schemes as the one described in the proof of Theorem 2 
fail to be secure according to the stronger definition. It is an interesting problem 
to formalize in a more general context how and when security can be preserved 
even though a scheme gets broken a a certain point in time. 



10 



Recall that in the definition of a PIR scheme (Section 2.2) we assumed that the 
values i, Q{i),TZ{Q{i),x) determine the value of Xi. 
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Abstract. Generating a distributed key, where a constant fraction of 
the players can reconstruct the key, is an essential component of many 
large-scale distributed computing tasks such as fully peer-to-peer com- 
putation and voting schemes. Previous solutions relied on a dedicated 
broadcast channel and had at least quadratic cost per player to handle a 
constant fraction of adversaries, which is not practical for extremely large 
sets of participants. We present a new distributed key generation algo- 
rithm, sparse matrix DKG, for discrete-log based cryptosystems that re- 
quires only polylogarithmic communication and computation per player 
and no global broadcast. This algorithm has nearly the same optimal 
threshold as previous ones, allowing up to a | — e fraction of adversaries, 
but is probabilistic and has an arbitrarily small failure probability. In 
addition, this algorithm admits a rigorous proof of security. We also in- 
troduce the notion of matrix evaluated DKG, which encompasses both 
the new sparse matrix algorithm and the familiar polynomial based ones. 

Keywords: Threshold Cryptography. Distributed Key Generation. Dis- 
crete Logarithm. Random Walk. Linear Algebra. 



1 Introduction 

Distributed key generation (DKG) is an essential component of fully-distributed 
threshold cryptosystems. In many contexts, it is impractical or impossible to 
assume that a trusted third party is present to generate and distribute key shares 
to users in the system. In essence, DKG allows a set of players to collectively 
generate a public/private key pair with the “shares” of the private key spread 
over the players so that any sufficiently large subset can reveal or use the key. The 
generated key pair is then used in a discrete-log based threshold cryptosystem. 
Gommonly the security parameter of such a system is called the threshold, t. 
This is the number of players that can be corrupted without the key being 
compromised. 

Most distributed key generation schemes in the literature do not carefully 
consider the communication and computation cost required of each server. Specif- 
ically, most schemes require 0{nt) computation and communication per player, 
where n is the number of players participating in the scheme. In this paper, 
we present a randomized algorithm called sparse matrix DKG that reduces this 
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cost to 0(log^ n) per player, both in terms of computation and communication, 
in the presence of 17 (n) malicious parties. For large systems, this difference is 
quite significant. The cost of this gain is a slight chance that the algorithm fails. 
We formalize this cost in the definition of a probabilistic threshold distributed 
key generation algorithm. We also show how sparse matrix DKG is a specific 
instance of a more broad family of DKG algorithms. 

2 Basic System Model 

The systems we describe involve a group of n players. The players are modeled 
by probabilistic polynomial-time Turing machines. They are connected with se- 
cure point-to-point channels, but without any broadcast channel. We feel that 
these assumptions are realistic for practical situations: true broadcast is only 
achievable in practice using Byzantine agreement but secure channels can be 
achieved through a public key infrastructure. We also assume that the players 
have access to a common source of randomness. The adversaries in this system 
are static and are assumed to be fixed when the algorithm begins. This is a 
reasonable assumption since, in practice, this algorithm is sufficiently fast that 
successful dynamic adversaries are unlikely. 

For simplicity, we assume that there is an honest, but not trusted, dealer 
present to aid in the initialization of the algorithm. The first task of the dealer is 
to establish the set of n players that will participate in the algorithm. This task 
makes the dealer resemble a directory server for the players. The users who wish 
to generate a distributed key are assumed to know the identity of the dealer. 
These users will then contact the dealer in order to secure a unique identifier 
for the algorithm. This dealer may also assist in the creation of a public key 
infrastructure so that users can transmit messages securely through encryption 
or authenticate messages with digital signatures. The dealer then decides when 
enough users are present for the algorithm to begin. This is decided by either 
having a fixed number of users known up front or requiring that users who wish 
to participate send a message to the dealer within a fixed time limit. In either 
case, this process determines the value of n, the number of users participating 
in the algorithm. Part of our initial assumption is that the dealer has access to a 
random oracle [1] so some randomness may be distributed to the players. Based 
on the value of n, the dealer will decide on a set of random bits and distribute 
a subset of them to each player. 

In practice, the dealer need not be a single party, and could be implemented 
through a logarithmic size group of users or a hierarchy of users. 

3 Distributed Key Generation Protocols 

3.1 Previous Work 

Existing literature on DKG algorithms is quite broad. One main line of approach 
began with the polynomial-based algorithm presented by Pedersen [8]. This al- 
gorithm was presented by other authors in varied forms as the basis of various 
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threshold cryptosystems. This basic algorithm and these modifications, however, 
were vulnerable to a variety of attacks that would allow an adversary to bias the 
distribution of the private and public keys. This flaw was remedied by Gennaro, 
et al. [4] in a protocol that operates in two phases and uses Pedersen’s verifi- 
able secret sharing algorithm [9] to protect the bit commitments of the public 
key against static adversaries. All of these approaches require 0{t) broadcasts 
and 0{n) point-to-point messages for each player. Gennaro, et al. followed up 
their paper [5] with an explanation of how Pedersen’s original algorithm is se- 
cure when used for Schnorr signatures. One main advantage for using the basic 
Pedersen algorithm is saving one broadcast round. 

3.2 Definitions 

The following definitions apply to discrete-log based cryptosystems. The globally 
known constants are p, a large prime; q, a large prime that divides p— 1 and g an 
element of order q in Zp. The first three criteria of the following definition have 
been used widely to define DKG protocols. The fourth was added by Gennaro, 
et al. in order to quantify the secrecy of an algorithm’s key against malicious 
participants in the generation phase. 

Definition 1. A t-secure distributed key generation algorithm satisfies the fol- 
lowing requirements, assuming that fewer than t players are controlled by the 
adversary: 

(Cl) All subsets of t 1 shares provided by honest players define the same 
unique secret key x. 

(C2) All honest parties have the same value of the public key y = g^ mod p, 
where x is the unique secret guaranteed by (Cl). 

(C3) X is uniformly distributed in Zq (and hence y is uniformly distributed 
in the subgroup generated by g). 

(SI) The adversary can learn no information about x except for what is im- 
plied by the value y = g^ mod p. 

We propose the following modification to allow a DKG algorithm to fail 
with small probability. This will allow for algorithms that are considerably more 
efficient with arbitrarily small impacts to security. 

Definition 2. A probabilistic threshold {a, (3,5) distributed key generation algo- 
rithm satisfies requirements (C2), (C3) and (SI) above as well as (Cl’), (Cf.’) 
below (which replace (Cl)), all with probability 1 — <5, assuming that the set of 
players controlled by the adversary is less than an. 

( Cl ’) The shares of any subset of honest players define the same key, x, or 
no key at all. 

( C4 ’) Any subset of at least (3n honest players can recover the key with prob- 
ability 1 — (5. 

By these definitions, a t-secure DKG algorithm is a probabilistic threshold 
in’ dkg algorithm as well. 
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3.3 Matrix Evaluated DKG 

The sparse matrix distributed key generation algorithm we propose for very large 
sets of players is a specific instance in a family of protocols which we call matrix 
evaluated DKG. In section 3.4 we show that this family includes the familiar 
DKG algorithm introduced by Gennaro, et al. This general technique consists 
of three primary phases. In the first phase, all the players create their secrets 
and share them with the others. After it is decided which players have correctly 
shared their secrets, the public key is recovered. Finally, after the generation is 
complete, the algorithm provides a method for recovering the secret with only 
a subset of the shareholders. The use of a matrix to codify the relation between 
the key and its shares is similar to the technique Blakley proposed for secret 
sharing [2]. 



Master Algorithm 

1. Start with a dealing phase so that all players know E, v, g, h,p^ q where p is 
a large prime, g is a large prime that divides p — 1, g and h are elements of 
order q in Zp, E is an m x n matrix over Zq and u is an m element vector 
over Zq. 

2. Generate x: 

(a) Each player i chooses two row vectors, Oi, a- € Z^. 

(b) Player i then calculates Si = aiE,s[ = a[E. Define the checking group: 
Qi = {j\sij yf 0 V sF yf 0}. Player i sends the jth element of each, Sij,sij 
to player j e Qi and broadcasts^ Ci = g°‘'h°'* mod p (where both the 
exponentiation and multiplication are element-wise) to all j G Qi. 

(c) Each player j verifies the shares received from other players. For each i 
such that j & Qi, player j checks if: 

m 

modp (1) 

k^l 

If this check fails for i, player j broadcasts a complaint against player i 
to Qj. 

(d) Every player i who was complained against by player j will broadcast 

J ^ij to Qi. 

(e) The other players in Qi will check the broadcast Sij,s'^^ and mark as 
invalid each i for which Eq. 1 does not hold. 

3. Each player i builds the set V of all players who were not marked invalid and 

sets their share of the secret as Xi = - Note that Xi is the ith element 

of the vector E. The secret key is defined as a; = {J2iev “0 



All the following broadcasts are to Qi only. In the sparse matrix algorithm, 
\Qi\ = O(logn). 



1 
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4. Reveal y = mod p 

(a) Each valid player i broadcasts the vector Ai = g°‘^ mod p to Qi. 

(b) Each player j verifies that each Ai is valid by checking for each i V 
such that j G Qi if: 

m 

mod p (2) 

fc =0 

If this check fails for i, player j broadcasts a complaint against player i 
as well as Sij, s'i^ to Qi. 

(c) If at least one valid complaint is filed against player i (Eq. 1 holds for 
Sij,Sij but Eq. 2 does not), then all players in Qi will reconstruct ai in 
public by solving a set of linear equations (si = aiE), for the valid values 
of s^. 

(d) Each of the honest members of Qi knows both whether player i is valid 
and, if so, the correct value Ai. To find y, it suffices to ask each member 
of each Qi, find the set V, and then take y = Jliev Oj ■ 

Sharing the Secret The basis of this algorithm is what we call an evaluation 
matrix E, which has m rows and n columns, where n is the total number of 
players in the system. Each player i picks an internal secret ai, which is a row 
vector with m elements and, from that, creates an external secret Si = aiE 
mod q, another row vector, now with n elements. Player i then reveals the jth 
column of the external secret Sij to player j. If the ai and E are structured, it 
is possible that fewer than n users are assigned non-zero shares by player i. 

In order to demonstrate that player i is creating consistent shares of the 
external secret, she must broadcast a committed version of her internal secret. 
For this we employ the VSS scheme introduced by Pedersen [9]. Player i creates 
another, random internal secret a' and broadcasts a commitment vector Ci = 
gO'i h°-i mod p (the multiplication here is element-wise) to the checking group Qi 
of players who receive the non-trivial shares. Each member of Qi can then verify 
that her share of Si was created from the same Ui as the others. This is achieved 
by each player j checking that Eq. 1 holds for each i, since all honest players are 
assumed to agree on Ci 

This equality will certainly hold if Sij = ^ikEkj as specified above. If 

it does not, then the secret share is invalid and player j broadcasts a complaint 
against player i. In response, player i will broadcast Sij, to demonstrate that 
Eq. 1 is satisfied. If player i broadcasts a pair of secret shares that did not satisfy 
Eq. 1, then the other players will mark i as invalid, since the external secret of 
player i is not consistent with any internal secret, and hence it will be impossible 
to recover the secret key if it includes this share. 

At this point, V is well defined and each checking group Qi knows whether 
i G V, since the decision is based on broadcast information. At this point both the 
global private key x and public key y are well defined by the following equations, 
where T is a linear function (e.g., an inner product with a fixed vector, v): 
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a = y^ at 

i&V 

X 4 ^T(oi) 

i&V 

= T{a) 

y = mod p 



Revealing the Public Key Note that the public key is not yet publicly known. 
This is necessary to ensure that an attacker does not skew its distribution by 
manipulating the set V. After V is established, the public key may be safely 
extracted. Every player i G V broadcasts their share of the public key, the 
vector Ai = mod p. The other players will check if Eq. 2 holds. 

Like the previous check, if the rules of the algorithm are followed, the equal- 
ity holds. If it does not and player j broadcasts a complaint, the allegation of 
cheating is treated with more caution than before. Specifically, player j must 
prove that her complaint is valid by broadcasting Sy , sL . The other players will 
check that Eq. 1 holds for these secret shares. If it does, then it is very likely that 
these shares are indeed from player i. They will also check Eq. 2 to validate the 
complaint. If it is valid, all honest users will reconstruct ai by broadcasting their 
shares. This is the straightforward process of solving a set of linear equations 
that specify the internal secret for that player. The number of shares required 
for reconstruction depends on the structure of E and a^. 



Using the Private Key Based on the definition of x, it suffices to find a. 
We can find a directly through the relation aE = (xi,X 2 , ■ . ■ , if we know a 
sufficient fraction of the Xi. This fraction is a function of the structure of E. It 
is desirable, however, to never reveal a. Note that since a is a linear function of 
the Xi we can write a = {x\,X 2 , ■ . ■ , Xn)E, where E is the pseudo-inverse of E. 
If T(a) = av then T(a) = {x\,X 2 , ■ ■ ■ , Xn)Ev. If the signature or encryption is of 
the form then each player can sign and the signatures or encryptions are 
combined as Y\g^'^^', where Li is the ith row of Ev. Of course, if only a subset 
of the Xi are available, a different E must be used. 

3.4 GJKR DKG 

Before diving into sparse matrix DKG, we will show how the algorithm intro- 
duced by Gennaro, Jarecki, Krawczyk, and Rabin fits into the more generic 
matrix evaluated DKG framework. This protocol was introduced to eliminate a 
security flaw in the simpler Joint-Feldman protocol proposed by Pedersen where 
an adversary could bias the distribution over public keys. 

Let E be the Vandermonde matrix with m = t + 1 rows and n columns, 
where t is the security threshold of the system: 

E- ■ — 

— J 
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Each tti is a random m element column vector so that \Qi\ = n. The matrix 
makes the external secret, Si, the same as evaluations of a polynomial (with 
coefficients defined by the internal secret) at the points 1 , 2 , . . . , n. 

The private key is just a function applied to the sum of the internal secrets 
of the valid players. The function in this case is T( 6 i, 62 , . . . , &m) = ^i- Each 
player’s share of this secret is the sum of the shares they hold from the other valid 
players. Equivalently, each player’s share is the evaluation at a certain point of 
the polynomial created by summing the polynomials of the valid players. Since all 
the polynomials are of degree t, any t + 1 of the Sij will allow interpolation 

to reconstruct Hence with t + 1 valid shares, the algorithm can succeed 

in revealing the public or private key. Of course, since the private key should 
never be revealed, it is possible to use the key using just the evaluations of the 
polynomial through Lagrange interpolation coefficients. 

Assuming that each server behaves properly, this algorithm incurs commu- 
nication cost per player of 0{t) broadcast bits and 0{n) messages, assuming 
no faulty players. Achieving the broadcast through Byzantine agreement is very 
expensive. In the the two phases of the algorithm, each server performs 0(tn) 
operations. This occurs because each server must check every other server, and 
checking each server is an 0{t) operation. 



4 Sparse Matrix DKG 

To reduce both communication cost and computational complexity, we introduce 
a technique that that relies on a sparse evaluation matrix. This produces a 
(7 — e, 7 - 1 -e, i5) probabilistic threshold DKG algorithm for 0 < 7 < 5 , e > 0, (5 > 0. 

4.1 Intuition 

The basic algorithm only requires a user to communicate with her checking group 
(to share her secret) and with all the checking groups to which she belongs (to 
determine whether those users behaved as the protocol dictates) . To reduce the 
communication complexity of the algorithm it is sufficient to make these checking 
groups small. However, they must be sufficiently large so that a majority of the 
group is honest. If the groups are logarithmic in size, Hoeffding bounds give an 
inverse-polynomial probability of a group failing this criteria, assuming that the 
fraction of honest players is greater than a half. For recovery to be possible, the 
internal secret of a player must have fewer degrees of freedom than the number 
of honest recipients of her shares. A sparse, structured evaluation matrix is the 
tool that we use to map small secrets onto small checking groups. 

4.2 Sparse Evaluation Matrix 

By imposing constraints on the number of non-zero entries in each user’s internal 
secret and having a very structured evaluation matrix, we reduce the cost of the 
problem from quadratic to polylogarithmic in the number of users. Figure 1 
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5 - 



10 - 



15 - 



20 - 



25 - 



3Q I I ^ ^ ^ I I *******T 

0 8 16 24 32 40 48 56 64 

Fig. 1. An illustration of an evaluation matrix for 7 = ^- Here n = 64,^ = 8. 
Each dot indicates a non-zero position in the matrix. 

illustrates the evaluation matrix used for an (| — e, ^ -I- e, <5) instance of the 
algorithm. Each row of the evaluation matrix has (. consecutive, random entries 
offset by two columns from the previous row. Since the matrix must have n 
columns, it must also have m = {n — t)/2 + 1 rows. We will show that for 
£ = O(logn), the algorithm can recover the key with a ^ -I- e fraction of honest 
shares with high probability. In general, for 7 < ^, the evaluation matrix E has 
the band in each row offset by 7 “^ columns (on average) from the previous row 
and hence there are m k. ^{n — t) rows in E. Intuitively, this offset allows most 
sets of 771 columns of the matrix to have full rank. The rest of the description 
of the algorithm and the accompanying proofs assume 7 = 5 - 

4.3 Dealing Phase 

The dealer must generate O(nlogn) independent random bits for the analysis 
of this algorithm to succeed. This randomness is used to determine two things. 
First, it establishes the evaluation matrix E. The second use is to create a 
permutation of the users. All aspects of the algorithm require the adversary 
and honest players to be distributed at random. Any large cluster of dishonest 
players leaves part of the private key vulnerable. 

Unfortunately, it isn’t practical to distribute that many bits to all the players. 
It is reasonable, however, for the dealer to send each player his identifier as 
determined by the permutation. Then player i only needs to know the columns 
Qi and Uj|iGQ group is needed to produce the shares to send 

to other players and the second, larger group is needed to check and possibly 
reconstruct other players’ shares. As we will see, this is a logarithmic number 
of columns, and hence a poly logarithmic number of random bits. All players 
will also query the dealer for the addresses of their peers. Since the dealer is 
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assumed to be honest, these bits need not be “broadcast”; a simple point-to- 
point distribution suffices. 

4.4 Making and Sharing the Secret 

Player i creates a (sparse) internal secret vector, Oi that contains only u = £/2e^ 
non-zero, consecutive elements. The position of these elements is chosen to 
equally distribute the checking load among all the players. Specifically, player i 
will have her terms start at |~f . The structure of both the internal secret 
vectors and the evaluation matrix mean that not all players are given non-zero 
shares by player i. This defines the checking group, Qi. The only recipients of 
broadcasts regarding player i are members of her checking group. In this setting 
of 7, there will be £ -I- 2 (m — 1) (non-zero) shares, so that an adversary who 
controls any 1/2 — e/2 fraction of these still has fewer than u shares. 

To prove that these shares were constructed from the same internal secret 
vector, it is necessary for player i to broadcast the as defined above to Qi. 
Since our system model uses Byzantine agreement to achieve broadcast, the 
relatively small number of non-zero shares reduces the number of participants 
in this operation. In this algorithm, since the set of players outside of Qi has no 
evidence as to whether player i is or is not valid, the other players will take a 
majority vote of the checking group to determine that. We are guaranteed that 
all the honest players in the checking group will agree whether player i is valid 
since they are privy to the same information. We must then show that a majority 
of Qi is honest. This is a straightforward application of Hoeffding bounds since 
the expected fraction of honest players in any group is 7 -I- e: 

Pr € Q, : x is dishonest}] > (t ~ |Q*l) < 2exp ^ 




Hence, since \Qi\ > if£>0((l-|- «;)logn), then the probability is bounded 

by n~^~^ and the probability that all checking groups have a majority honest 
players is 1 — by a union bound. 

4.5 Extracting the Public Key 

Revealing the public key occurs just as in the more general description. In the 
proof of correctness, we show that it happens with high probability. A third party 
who wishes to discover the public key that the algorithm has generated needs to 
ask each checking group for the checked user’s share and take the majority (the 
checking group may also respond that the player is invalid) . This is an 0(n log n) 
operation. It is reasonable to assume that the dealer poll each player about the 
other players that they have checked, tally these votes for each player, multiply 
the public key shares for the valid players and then send the public key to every 
player. 
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It may be desirable to do this operation in a more distributed fashion. It is 
certainly not practical for each player to poll each checking group. Instead, a 
message passing algorithm to tally the public key is feasible. Here we set up a 
binary partition of all the players. At the bottom of a binary tree are smalP, 
non-overlapping groups of users for which the public key share of each (valid) 
member is known to all in the group. As one moves up the tree, these shares 
are multiplied to establish the shares of larger groups. The global public key 
is found at the top of the tree. A logarithmic sized group is responsible for 
each aggregation point within the binary tree. The public key, once found, may 
be passed back down the tree to each user. By restricting communication to 
the edges of the tree, each player need only communicate with O(logn) other 
players. 



4.6 Using the Global Secret 

As described above, the global secret is maintained as shares kept by each of 
the valid users. However, to be useful in threshold cryptosystems, it must be 
possible to apply this key for a signature without having all shareholders act. 
The structure of the evaluation matrix assists us in this regard. Discovering the 
value of the private key requires the solving for a (implicitly) . If we can find the 
inversion matrix S, we will be able to recover the private key. This is possible 
if the submatrix of the evaluation matrix corresponding to the valid users has 
rank m. 



4.7 Recoverability 

We assume that there are /3n players (/3 = 7 -I- e) that will contribute their 
shares to sign (or decrypt) a message. Let S be the set of these players. Our 
goal is to show that E\s, the m x IS”! submatrix of E consisting of the columns 
corresponding to good shares has rank m. We first state a lemma that concerns 
biased random walks. In the appendix, we prove this lemma for 7 = i. It is 
straightforward to extend this to arbitrary 7. 



Lemma 1. An n step random walk that reflects at zero, with (7 -|- e)n steps of 
I — 7“^ and (1 — 7 — e)n steps of +1, will reach O(Klogn) with probability less 
than n~^, for fixed e. 

We can now prove our theorem concerning the rank of E\$, in the case that 




Theorem 1. The matrix E\$ formed by randomly deleting an columns from 
E, a = ^ — €, will have rank m with probability 1 — n~'^ if each row of E has 

I = ~ log n consecutive, non-zero, random entries. 

^ It is important that these groups be large enough that there be a low probability of 
a corrupt majority. It suffices for them to be of size l7(logn). 
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Proof. The theorem is proved by showing that a subset of m columns of E\s, 
taken as a matrix E\'g, has random elements along its main diagonal. Consider 
the process adding columns from E to E\s- Each row of E has £ non-zero, 
consecutive entries, called the band. We consider the incremental process of 
examining columns in order. If a column is present, and the column is not to 
the left of the band for the current row being considered (i.e., the row r for 
which we want a random value at (Eg)rr), that column is added to E\'g, and 
the next row is considered. Let Xi denote the offset of column i in the non-zero 
entries of the currently considered row, Ri (where i is a column index for the full 
matrix, E). For example, in Fig. 1, if j = 8 for row 3 the offset is 4. In general, 
Xi = i — 2{Ri — 1) . If Xi ever exceeds £, the process fails since none of the later 
columns will be able to contribute a random element for the diagonal entry at 
the current row. Define Xi = l,Ri = 1. Now consider the state Xi. If column i 
is missing, we stay at the current row, Ri+i = Ri, but step forward in relation 
to the beginning of the band. Hence W-i-i = Xi + 1. Now if column i is present, 
there are two possibilities. If > 1, the column is added and Ri+i = Ri + 1, 
so that column i -\- 1 would be one step forward in the same row, but one step 
behind in the next row (since the rows are offset by two relative to each other), 
and Xi_|_i = Xi — 1. Now if = 0 a present column does not help since we are 
in front of the band, so X^+i = 0 , Ri+i = Ri. 

Observing just the Xi, the process is identical to the reflecting random walk 
process defined above. Applying the random walk lemma, we may bound the 
probability that the walk passes t after n steps, one for each column of A. This 
probability is just: 

P(process fails) = P(walk passes £ in n or fewer steps) < n~'^ 

4.8 Correctness 

Theorem 2. The sparse matrix DKG algorithm described above is a probabilis- 
tic threshold (5 ~ Cj 5 + e, DKG algorithm for £ = 0{Klogn), the width 
of the band in the constraint matrix. 

Proof. (Cl) The honest players within checking group Qi always agree whether 
player i is in V , since that decision is made based on broadcast information. 
Honest players outside the checking group will rely on a majority vote of the 
checking group to determine if player i is included in V. Then the set V that 
is established in step 3 of the algorithm is unique if each checking group has a 
majority of honest players, which happens with probability 1 — n~'^. Assuming 
the adversary is not able to compute dlog^/i, the check in Eq. 1 implies that the 
player’s shares are all consistent with the same a^. The reconstruction theorem 
implies that the honest players for any set of rows will have full rank, so they are 
consistent with a unique Qi, with probability 1 — n~'^. Since all honest players 
have shares that satisfy Eq. 1, any set of them are able to recover x or not recover 
anything (in the case that the submatrix that they define is not invertible). 

(C2) In the case where a valid complaint is filed against player i, this Oi is 
reconstructed in public using the reconstruction theorem and Ai = mod p. 
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Now we consider the case where no valid complaints are filed. Since could 
have been reconstructed with the shares from the honest players, there are at 
least u linearly independent equations and u unknowns, so that there must be a 
unique solution. Since the broadcast from player i agrees with these equations, 
through Eq. 2, the broadcast Ai is exactly g°‘\ Hence all honest players within 
each checking group have the correct value of G E, and since there are a 
majority of honest players in each checking group, all honest players have the 
same value for Ai,i and also y = mod p. 

(C3) The secret is defined as a; = Since v is random, any random 

term of some that is independent from the other Uj will cause x to be uniform. 
In the proof of secrecy, we show that the adversary cannot determine any 
completely for an honest player i, so the dishonest players’ aj is independent of a 
term of every honest a^. Also honest players choose all their terms independently, 
so the Gi from any honest player will satisfy this requirement. 

(C4) This is a direct application of the reconstruction theorem. 



4.9 Secrecy 

To show that the adversary is not able to learn any information about the 
private key x other than the fact that it is the discrete log of the public key y, 
we create a simulator. Formally, a simulator is a probabilistic polynomial-time 
algorithm that given y € Zp, such that y = g^ mod p for some x, can produce 
a distribution of messages that is indistinguishable from a normal run of the 
protocol where the players controlled by the simulator are controlled instead by 
honest players. This is the familiar technique used to show that zero-knowledge 
proofs do not reveal any private information. However, since our algorithm relies 
on a random distribution of adversarially controlled players, our simulator will 
only have a high probability of success. 

We assume that the adversary controls no more than a ^ — e fraction of the 
players, chosen before the start of the algorithm. Recall that in section 4.4 we 
required that the adversary control no more than a fraction of any checking 
group. Hence each checking group contains less than (•^ + 2 ( 2 ^ — l)) < 
^ < u adversarially controlled players and the adversary cannot learn an honest 
player’s entire internal secret. 

The input to the simulator is a y that could have been established at the end 
of a normal run of the protocol. Assume that the adversary controls the set B = 
{Bi, B 2 , ■ ■ ■ , Bt} and that the honest parties (controlled by the simulator) are 
Q = {Gi, G 2 , . . . , Gn-t}- In a non-simulated run of the protocol that ends with 
the public key y, the a[ are uniform random vectors, subject to the sparseness 
constraint, and the Ui are random vectors subject to both Hiev Oj = y 

and the sparseness constraint. 

Consider the following algorithm for the simulator, SIM: 

1. Each honest player i G G performs steps 2 and 3 of the sparse matrix DKG 
protocol. At this point: 
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— The set V is well defined and Q C V. 

— The adversary B has seen Oi,a' for i G B, Sij,s'^j for i £ V,j £ B and 
Cij for i £V. 

— SIM knows ai,a' for all i G y (including those in V D B, the internal 
secrets for the consistent adversary players) . 

2. Perform the following calculations: 

— Compute Ai = mod p for i G P \ {Gi}. 

~ Let S' be a subset of Qcn the checking group for Gi, that contains all 
of Qci n B and enough of Qci C ^ so that the rank of if |s, the columns 
of E corresponding to S, has rank u — 1. Let r be some i such that the 
columns S U {r} have rank u. 

~ Assign = SGij for j £ S. 

— Let S' be a subset of m — 1 elements of S such that the columns S' of E 
have rank u — 1. 

— Compute E, the inverse of the submatrix of E corresponding to the 
columns S' U {r} and the rows 1, . . . , u (i.e., assume wlog that Gi = 1). 

— Note that , . . . , Sq^s' ’ hut Sq_^^ has not yet been 

fixed. Similarly A*q^ = • ■ ■ , where the ai,/3i are 

functions of E and SQ^j,j £ S' . 

- For our construction to succeed, Oj ^ (O^GyUGi} Oj • 

The right hand side is known and of the form g'', and the left hand 
side is of the form . Hence we can solve to find and then 

evaluate the expression for Aq^ . 

3. Broadcast Ai for i £ Q \ Gi and Aq^. 

4. Perform the checks of step 4.(b) of the algorithm for each player i £ Q on the 
Aj ,j £ B broadcast by the adversary’s players and broadcast any necessary 
complaints. 

5. The adversary cannot file a valid complaint against any honest player since 
all the messages followed the protocol. However, the simulator must recover 
from the adversary’s actions. The simulator will follow the protocol of 4.(c) 
to recover the for players who did not share their Ai properly. 

The simulator will result in an identical distribution of the observed a^, a( as 
would be expected from a non-simulated run that generated the public key y. 
This is because the simulator uses the original, random a^, a' for i G \ Gi . Also 
is chosen to be random subject to the constraint above. It remains to be 
shown that is also random. The relationship between aQ_^,a* is established 

through the public Ggi = This implies = dlogg(/i)“^ • (ogi — 

®Gi) ®Gi’ which inherits its randomness from 

4.10 Communication Complexity and Running Time 

The primary objective of the matrix-based constraint algorithm is to reduce 
both the communication complexity and running time for the users participat- 
ing in the key generation without significantly affecting the chance that the 
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algorithm fails to properly generate a key. As described above, a fraction of each 
user’s secret as well as a bit-committed version of the secret will be sent to 
£/2e^ = O(logn) other users. Hence this communication accounts for 0(£^) 
messages since the secret is of length 0{t), using Byzantine agreement for the 
broadcast. If 7 > then we must use authenticated Byzantine agreement [6]. 
Also, we will incur greater costs in the dealing phase since this operation can- 
not be simply composed [7]. If 7 < | we can reduce the dealing cost by using 
the technique proposed by Cachin, Kursawe and Shoup [3]. In the presence of 
dishonest players, this cost grows by a factor of 0{t) since each dishonest player 
can cause two more broadcasts to occur within the checking group. In the second 
phase of the protocol, without any adversaries the cost is again 0{£'^) messages. 
With adversaries, this cost again increases by a factor of 0{tj since each member 
of the checking group must broadcast. 

The running time for this algorithm is also much shorter than that of previous 
solutions to this problem. Each player is a member of 0(i) checking groups and 
must check one equation for each. Each equation is a product of 0{i) modular 
exponentiations, so the cost is 0{£^) exponentiations. 

The constants in these asymptotic expressions are very reasonable. For an 
n~^ chance of failure, if e = l/IO, then a suitable setting for £ is 17 log n. A 
linear increase of £ results in either an exponentially smaller failure probability 
or a linear decrease in e. Since the checking groups are of size they are more 
sensitive to the value of e. In practice, it is reasonable for the gap between the the 
fraction of dishonest parties and the fraction of shares required for reconstruction 
to be a fixed constant, so the size of the Qi is logarithmic with a small leading 
constant. 
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5 Appendix 

Lemma 2. Consider a (reflecting) random walk Xi defined in terms of a se- 
quence of differences Di : 



Xo = 0 

Xi-^'i — inax(0, Ll^-i-i) 



The sequence of differences Di,D 2 , . . . , Dn, is generated at random and satisfies: 

\{i\Di = 1}| = an = r, \{i\Di = -1}| = (1 - a)n = s 

Let a = 1/2— e. Then the probability that the walk has reached I = — 
in n or fewer steps is P{Xj = i, j < n) < n~^. 



Proof. Let Bij be the event that Xi+j = £,Xi = 0, Xk 0,i < k < i j. That 
is the event where i is the last time that the walk is at 0 and the walk is at £ after 
j more steps. Of those j steps, such a walk will have exactly £ more steps to the 
right than steps to the left. Hence there are d = left steps and d -\- £ right 
steps. There are fewer than ways to choose the order of the steps. Condition 
the sequence of differences on those j steps: 






/A (nto(s-fc)) {nttl-\r-k)) 
w m~=>-k) 

( j\ {s-k){r-k) r-d-k 

\d) (n — 2k)(n — 2k — 1) n — 2d — k 
^ ^ k=0 ' ' k=0 



Observe that if a-\-b = c and b < § — 1 then . < j. Also ’’ \ ^ — e, 

2 c(c— 1) 4 n—2d—k n 2 ’ 

for arbitrary d, k since r < ^ so that: 




< (1 - 2eY 



So P{Bij) < (1 — 2e)^ = n Now there are fewer than n choices for either 

i or j so that P{UijBij) < 
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Abstract. We prove a tight lower bound for generic protocols for secure 
multicast key distribution where the messages sent by the group manager 
for rekeying the group are obtained by arbitrarily nested application 
of a symmetric-key encryption scheme, with random or pseudorandom 
keys. Our lower bound shows that the amortized cost of updating the 
group key for a secure multicast protocol (measured as the number of 
messages transmitted per membership change) is log 2 (n) -|- o(l). This 
lower bound matches (up to a small additive constant) the upper bound 
of Canetti, Garay, Itkis, Micciancio, Naor and Pinkas (Infocomm 1999), 
and is essentially optimal. 
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1 Introduction 

Broadcast and multicast are communication primitives of fundamental impor- 
tance for many emerging internet (or more generally, network) applications, like 
teleconferencing, pay TV, on-line gaming, electronic news delivery, etc. Roughly 
speaking, broadcast allows data to be (simultaneously) delivered to all nodes in a 
network at a much smaller cost (in terms of network resources) than transmitting 
it individually to each intended recipient, and it is essential for the scalability of 
the applications to groups of medium and large size. Multicast achieves a similar 
goal, but with an arbitrary (and, often, dynamically changing) set of recipients 
that does not necessarily include all the nodes in the network. From a security 
point of view, broadcast and multicast raise many new and challenging issues 
that are not directly addressed by conventional (point-to-point) cryptographic 
techniques. (See [3] for a survey.) 

* This material is based upon work supported by the National Science Foundation 
under Grant GCR-0313241 and a Sloan Research Fellowship. Any opinions, findings, 
and conclusions or recommendations expressed in this material are those of the 
author(s) and do not necessarily reflect the views of the National Science Foundation. 
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Security properties. As in point-to-point communication (unicast), the two main 
security concerns are secrecy and authenticity. In this paper we concentrate on 
the secrecy property, i.e., making sure that only group members can receive 
the transmitted data (See Sect. 3 for a precise definition of our communica- 
tion and security model). Two distinct models have been considered within the 
cryptographic community to study secrecy properties in broadcast and multicast 
scenarios. One, called broadcast encryption, is motivated mostly by pay TV and 
similar applications where an information provider communicates with a large 
(and highly dynamic) set of low-end receivers (e.g., set-top boxes). The other, 
usually called multicast encryption or multicast key distribution, is more closely 
related to internet applications, where a dynamically changing, but relatively 
stable, group of users wants to broadcast messages within the group, while keep- 
ing the content of the messages hidden from users that do not currently belong 
to the group. This is the model we study in this paper, and we refer the reader 
to Sect. 2 for a brief discussion of related work, including broadcast encryption 
as well as other security properties like authenticity. 

In unicast, secrecy is easily achieved by establishing a secret key between 
the two communicating parties, who, in turn, use the key to encrypt all com- 
munication using a conventional (symmetric-key) encryption scheme. A similar 
approach may be used for multicast as well: once a secret key (common to all 
group members) is established, secrecy can be achieved by encrypting all com- 
munication under the common key. However, in the presence of a dynamically 
changing group, establishing a common secret key can be quite an onerous task: 
each time a user leaves the group (voluntarily or not), a new group key needs to 
be established in order to protect future communication. We consider a setting 
where a single (physical or logical) entity (called the group center) has authority 
over deciding group membership and is in charge of group key distribution. The 
problem is how the group center can securely communicate a new key to all the 
remaining group members, after one of them leaves the group, in such a way 
that the evicted user cannot recover the new key. Since the old group key can 
no longer be used to secure communication, communicating a new key seem- 
ingly requires unicasting the new key individually to all group members (e.g., as 
advocated in [10,9]), but this is clearly not a scalable solution as it would lose 
essentially all the potential efficiency benefits of using a multicast channel. The 
now standard approach to this problem, suggested in [16,15], is to maintain not 
only a group key, known to all group members, but also a collection of auxil- 
iary keys known to selected subsets of members that can be used to efficiently 
communicate to subsets of the group when the group membership changes. The 
solution described in [16,15] requires the transmission of 21og2 n messages^ each 
time a user leaves and another one joins the group, where n is the size of the 



^ We measure the communication complexity in basic messages, where each message 
is a fixed size packet of sufficiently large size to allow for the transmission of a single 
(possibly encrypted) key. 
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group^. Although this is exponentially more efficient than the trivial solution 
requiring n (unicast) transmissions, it would be desirable to have even more 
efficient solutions with smaller communication complexity. In [3] an improved 
solution is given, where the number of transmissions is reduced by a factor of 2, 
but remains logarithmic in the number of group members. 

Previous lower bounds. Our inability to find even better solutions to the multi- 
cast key distribution problem has prompted many researchers to explore lower 
bounds, showing that no such improvement is indeed possible, under reason- 
able assumptions about the protocol. The first non-trivial communication lower 
bound for multicast security was proved in [4] for a restricted class of protocols, 
namely protocols where the group members have a bounded amount of memory, 
or the key distribution scheme has some special “structure preserving” property. 
A different, and seemingly optimal, lower bound, for a more general class of pro- 
tocols without memory or structure restrictions was subsequently proved in [14], 
where it was shown that any secure multicast key distribution protocol (within 
a certain class) can be forced to transmit at least 3 log3 n messages for every 
group update operation (averaged over a long sequence of update operations). 
[14] also suggested a simple variant of the protocol of [16,15] (basically, replac- 
ing binary trees with ternary ones) meeting their lower bound. This apparently 
closed the gap between upper and lower bounds for multicast key distribution 
protocols, putting a final word to our search of an optimal solution. The class 
of protocols considered in [14] restricts the group center to transmit messages of 
the form (k^) consisting of a key k 2 encrypted with another key k\. Although 
not explicitly stated in [14], it is important to note that more general protocols 
are indeed possible and have also been considered in practice. For example, two 
relatively standard, and eminently practical, techniques very common in cryp- 
tography are the following: 

— The use of a pseudorandom generator, say G, to expand a single key fco into 
two or more (seemingly random and independent) keys {k\,k 2 , ■ ■ ■ ,km) = 
G{ko). In principle, this allows to transmit multiple keys at the price of 
one, by sending the seed fco, instead of transmitting the pseudorandom keys 
individually. 

~ The use of double (or multiply iterated) encryption, where more encryption 
functions are applied in a sequence to the same message before transmission. 
For example, consider a group of four users ui,U 2,W3,M4, where each user 
Ui knows a private key ki. Assume two auxiliary keys k and k' are known 
to groups u\,U 2 ,uz and U 2 ,U 3 ,U 4 respectively. Then a new key k" can be 
sent to users U 2 and M3 by transmitting a single (doubly encrypted) message 
Ek{Ek'{k")). Notice that using single encryption, as in the model considered 

^ For simplicity, we consider groups of fixed size in analyzing multicast key distribution 
i.e. we assume that each time a user leaves, another one is immediately added. So 
the size of the group is always equal to n. We refer to each leave/join operation as a 
“group update operation”. See Sect. 6 for a discussion on variable-sized groups with 
separate leave and join operations. 
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in [4,14], communicating to the same group of users requires the transmission 
of two messages Ek^{k") and Ek^{k"). 

The inadequacy of the model used by previous lower bounds [4,14] is clearly 
demonstrated by known (and practical) protocols that “beat” the lower bound 
proved in [14]. For example, [3] uses pseudorandom generators to improve the 
communication complexity of [16,15] by a factor of 2, resulting in a secure key 
distribution protocol where all update operations can be performed by transmit- 
ting log 2 (n) messages, which is strictly smaller than the 31og3(n) « 1.891og2(n) 
lower bound proved in [14]. This observation opens up again the possibility of 
further improving the communication complexity of multicast key distribution, 
or proving more satisfactory lower bounds for more general classes of protocols. 

Our contribution. In this paper, we consider generic protocols for multicast key 
distribution that make arbitrary use of pseudorandom generators and encryption 
algorithms, where both techniques can be mixed and iteratively applied multiple 
times in arbitrary ways. In our model, keys can be either freshly generated 
(i.e. are purely random) or produced by applying a pseudorandom generator 
(polynomially many times) on freshly generated keys. Messages sent out by the 
group center for rekeying the group are composed by encrypting keys iteratively 
using different (random or pseudorandom) keys for encrytion at each iteration 
(See Sect. 3 for a complete description of our model). 

The lower bound we prove in this paper on multicast key distribution pro- 
tocols matches the upper bound of [3] up to a small additive term. We demon- 
strate that in any protocol where the group center broadcasts arbitrary expres- 
sions built according to our formal logic for messages, the center must transmit 
log 2 (n) -I- o(l) messages per group update operation in the worst case (here, n 
is the size of the group and the number of messages per update operation is 
measured by amortizing over an infinite sequence of such operations). In other 
words, we demonstrate that the use of pseudorandom generators suggested in 
[3] is essentially optimal, and that even a combined use of iterated encryption 
does not substantially help to improve the worst-case communication complexity 
below log 2 (n) messages per update. 

Organization. In Sect. 2 we briefly review related work. In Sect. 3 we give a 
detailed description of the model used to prove our lower bound. The actual 
lower bound is proved in Sects. 4 and 5. Section 6 concludes the paper with a 
discussion on possible extensions to our model. 

2 Related Work 

Previous work on secure communication in broadcast and multicast scenarios is 
based on two distinct formulations. The first one, often referred to as broadcast 
encryption, has received much attention from the cryptographic community (e.g., 
[6,11].) In this model, as originally introduced by Fiat and Naor [6], receivers 
are stateless, in the sense that they receive a set of keys at the very beginning 
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of the protocol, and they never update their state during protocol execution. 
However, broadcast encryption schemes are typically secure only against coali- 
tions of bounded size. An essentially optimal lower bound on the communication 
complexity of broadcast encryption (as a function of the amount of key storage 
allowed per user) was given by Luby and Staddon in [11], 

In this paper we consider a different scenario more closely related to internet 
applications, where the users maintain state, the group of recipients changes over 
time, and all users in the group may broadcast information to the other group 
members. As discussed in the following section, this problem is equivalent to 
the key distribution problem, where a common secret key is established among 
all current group members, and updated over time as the group membership 
changes. This problem, usually called multicast encryption or multicast key dis- 
tribution, is the one studied for example in [16,15,4,14] already discussed in the 
introduction. 

Besides secrecy, other important security issues are authenticity, i.e., making 
sure that only authorized users can transmit messages and these messages can- 
not be altered during transmission, independence, i.e., emulating a synchronous 
network where all players transmit and receive messages at the same time (e.g., 
see [7]), and availability, e.g., protecting the network against denial of service 
attacks. These are all different security concerns that can be addressed sepa- 
rately using the appropriate cryptographic techniques. Here we briefly discuss 
authenticity. As discussed in [3], one can distinguish different kinds of authen- 
ticity. The simplest kind only ensures that the sender of the information is one 
of the current group members. This can be achieved using the same techniques 
studied in this paper (e.g., establishing a common secret key and using it within 
a message authentication protocol.) Individual authentication is a much harder 
problem, and it has been shown that it is actually equivalent to using public key 
digital signatures [2]. 

3 The Model 

We consider a scenario in which an information provider wishes to communicate 
to a selected (and dynamically changing) set of users over a broadcast channel. 
At any point in time, all users may receive the information sent over the broad- 
cast channel, and we want to ensure that only current group members can deci- 
pher the transmitted information and recover the original messages sent by the 
information provider. A centralized trusted authority, called the group center, 
governs access to the group^. The problem of secure multicast communication 
is easily seen to be equivalent to the problem of establishing a common secret 
key, known to all and only the current group members: on the one hand, given 
a secret key shared among all current group members, the information provider 
can securely communicate with all group members by encrypting its messages 

® We remark that such a group center is only a logical abstraction, and does not 
necessarily correspond to any single physical entity, like the information provider or 
any of the group members. 
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using a secure symmetric key encryption scheme. On the other hand, given a 
secure multicast protocol, the center can immediately establish a common se- 
cret key among all current group members by picking a new key at random and 
securely transmitting it to all group members using the secure multicast proto- 
col. Therefore, in the rest of the paper we identify secure multicast encryption 
with the group key distribution problem. We remark that a common secret key 
allows all group members to act as information providers and securely transmit 
information encrypted under the common secret key. The common secret key 
can also be used to achieve additional security goals besides secrecy (for eg., 
message integrity against non-members). 

3.1 Protocol Initialization 

We assume users come from a fixed, but potentially infinite, set hi and that they 
communicate with the group center using a reliable and authenticated broadcast 
channel. At every time instant t a finite set of users. Aft C U, referred to as 
members, holds a shared secret key which is supposed to be known only to the 
users in this set. All users and the center have black-box access to three functions, 
E, D and G, where the functions {E, D) model an encryption/decryption pair 
and G models a pseudorandom generator. We think of these three functions as 
abstract operations satisfying the following conditions : 

— E takes as input two expressions, K (a key) and 7 (a message), and outputs 
another expression, f 3 (a ciphertext). D takes two expressions, K' and (}' , as 
input and outputs a third expression 7'. These operations satisfy the obvious 
correctness condition : D{K, E{K,^)) = 7. We write Ek{'j) for E{K,^). 

— G takes as input a key K and outputs two keys, denoted Go(A') and Gi(AT). 
In other words, the function G models a length-doubling pseudorandom gen- 
erator. We remark that our choice of using a length-doubling generator (and 
not a more general one) is only for the purpose of simplifying the analysis 
and it does not impact our lower bound in any way^. 

Every user m GU also has a secret key Ki (referred to as the unique key of that 
user) that is known only to him and the group center G from the beginning of 
protocol execution (Such a key may be established using different techniques in 
a setup phase using, say, unicast and public key cryptography). 

3.2 Rekey Messages 

Changes in the group membership (i.e. the set A 4 t) over time are modeled using 
an adversary who adaptively chooses to add and delete members from the group. 

^ Indeed, our lower bound can be shown to hold even if we replace G with a func- 
tion that takes as input a single key and outputs arbitrarily many pseudorandom 
keys. An intuitive reason for this is that any pseudorandom generator with arbitrary 
expansion-factor can be easily built using only a length-doubling generator. The 
proof of Lemma 2 makes this clearer. 




Optimal Communication Complexity of Generic Multicast Key Distribution 



159 



At every point in time t, our adversary examines the history and current state 
of the protocol and issues one of the following three commands: 

- JOIN{ui): set Mt+i = Mt U {ui}, 

~ LEAVE{ui): set Mt+i = Mt \ {mJ, 

— REPLACE{ui,Uj): set A 4 t+i = Ait \ {ui} U {uj}, 

In response to a membership change request, the group center transmits a set 
of messages St = (71, . . . , 7|Sj|), known as rekey messages, over the broadcast 
channel where each rekey message, 74, is a symbolic expression derived using the 
following grammar : 

m^£;k(m)|k (1) 

K^iC|Go(K) |Gi(K) 

Here, the symbol M represents messages while the symbol K represents keys. 
The expression K models any basic (i.e. freshly generated) key, including unique 
keys of users. Messages can be built from keys by iterated application of the 
encryption function, E, with basic keys or derived keys (obtained using the 
pseudorandom generator)®. 

Communication Complexity. The communication complexity of a group key dis- 
tribution protocol is defined in terms of the number of rekey messages transmit- 
ted by the center per update operation performed on the group. The cost of 
transmitting a set of messages St equals the number of basic messages in the set 
(i.e. 15 ( 1 ). The amortized cost of a group key distribution protocol in the course 
of a sequence of such adversarial operations is the ratio of the total number of 
messages transmitted by the center in that period to the total number of oper- 
ations performed. This is expressed in terms of the size of the group, which is 
the maximum number of members in the group at any stage in that sequence of 
operations (As we will see, in our lower bound analysis, the number of members 
is kept constant across time). The amortized communication complexity of the 
protocol is the maximum amortized cost it has to incur in the course of any 
sequence of adversarial operations. We are interested in a lower bound on the 
amortized communication complexity for any group key distribution protocol 
satisfying certain constraints. We next describe what these constraints are. 

3.3 Security Definition 

We analyze the security of key distribution protocols with respect to the abstract 
cryptographic operations E, D and G. This approach is similar to that taken in 

® Note that we do not allow the use of expressions of the form Ak(M) (i.e. ciphertexts) 
either as keys or as inputs to the pseudorandom generator because ciphertexts do not 
necessarily have the (pseudo)randomness properties necessary to prove that such an 
application would be secure. For example, given any (provably secure) encryption 
function, E, it is possible to build another (provably secure) encryption function, 
E' , such that one can easily recover a message, 7, from a corresponding ciphertext 
E'^, , (7) even without knowing any of the keys Kq and Ki . 

K’o'' 
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previous lower bounds for this problem [4, 14], except that we also allow for the 
use of pseudorandomness and arbitrarily nested encryption as dictated by our 
grammar. 

Definition 1. For any set, S, of messages obtained using grammar 1, we define 
the set of keys that can he derived from S as the smallest set, Keys(S'), which 
satisfies the following three conditions : 

— If Kq G S, then Kq G Keys(5). 

— If Ko£ Keys(S'), then Go{Ko) G Keys(S') and GfiKo) G Keys(S'). 

— If EK^{EKfi- ■■ {Eki{Ko)))) G S and Ki,...,Ki G Keys(S'), then Kq G 
Keys(^). 

This definition corresponds to the intuitive idea that given Ek{M) one can com- 
pute M if and only if K is known, and given K everybody can compute Gq{K) 
and Gi{K) applying the pseudorandom generator to K. However, since pseu- 
dorandom generators are one-way, given Gq{K) or Gi{K) (or both) one cannot 
recover K, or even tell if Gq{K), G\{K) is in the range of the pseudorandom gen- 
erator. This is essentially a straightforward generalization of the Dolev-Yao [5] 
model of encryption, extended with pseudorandom generation. Analyzing secu- 
rity of protocols with respect to this formal cryptographic model is motivated by 
the fact that we would like the protocols to be secure independently of the spe- 
cific instantiation of the underlying cryptographic building blocks. The formal 
analysis can be made precise and interpreted in standard complexity-theoretic 
terms, by extending known soundness and completeness results of [1,12]. 

Definition 2. We say that a group key distribution protocol is secure if for 
any sequence of adverserial operations, and for every time instant t, there exists 
a key, K, such that 

— Kg Keys(S'i U • • • U St U {Ki}) for all Ui G A4t, i-e., key K can he computed 
by all current group members at time t; 

— K ^ Keys(S'i U- • • U^t U {AT g Ui ^ Mt\), i-e., the users that do not belong to 
the group at time t cannot compute K even if they collude and pool together 
all the information available to them. 

The first clause in the definition is a correctness criterion while the second clause 
is the main security condition. Note that our definition of security is a bit re- 
strictive in that it requires non-members not to be able to obtain the shared 
secret key at any instant of time based only on the information obtained at or 
before that instant. Intuitively, this captures the idea that if a user leaves the 
group (i.e. becomes a non-member) at some point, then he should not be able to 
decrypt any future communication (even if he colludes with other non-members 
to do so), unless, of course, he is added back to the group. This kind of security 
is often referred to as forward secrecy. However, one could also require that the 
shared secret key at any instant be such that the non-members (at that instant) 
not to be able to compute it even later on i.e. even if some of them become mem- 
bers in the future. Such a security requirement is more stringent and it captures 
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the notion that any new entrant to the group should not be able to compute the 
shared key for any past instant when he was not a member (a requirement often 
referred to as backward secrecy). In order for a protocol to satisfy both forward 
and backward secrecy, we must strengthen the security condition above so that 
K ^ Keys(S'i U - ■ - USt'U{ki:Ui ^ Mt}) for all t' > t. We remark that backward 
secrecy is usually considered a less important property than forward secrecy, as 
in many multicast applications (e.g., stock quotes) information looses value over 
time. The lower bound proved in this paper only requires forward secrecy and 
is, thus, applicable to protocols satisfying the more stringent definition, too. 

Another important remark is the following. Since most networking protocols 
do not provide any form of security, it is a good practice to assume that an 
adversary attacking the network has access to all transmitted data, which needs 
to be properly protected using appropriate cryptographic techniques. Moreover, 
this allows for the development of security solutions that are independent of the 
underlying networking technology. In the above definition, the security criterion 
models the fact that the adversary has complete knowledge of all past communi- 
cation. The assumption of infinite memory is less reasonable in the case of group 
members in our correctness criterion, but giving all past broadcast messages to 
all users makes our security definition less stringent, and consequently it only 
makes our lower bound stronger. We refer the interested reader to Sect. 6 for a 
discussion on possible extensions to our model. 



4 The Multicast Game 

For the actual lower bound analysis, it is useful to view every secure group 
key distribution protocol as an abstract game, which we call the multicast game, 
played between the group center, C, and the adversary, A. In this game, keys are 
modelled as nodes in an infinite hypergraph. Each node corresponds to either 
a basic key (recall that basic keys include unique keys of users as well) or a 
derived key obtained by applying the pseudorandom generator to some other key. 
Messages transmitted by the group center are modeled as directed hyperedges, 
so that the cost incurred by the center equals the number of hyperedges in the 
graph. For any user, the set of keys known to him at any time is defined as the 
set of nodes that can be “reached” from the node representing his unique key 
following the hyperedges. Details follow. 



4.1 Game Configurations 

The playing board for the multicast game is an infinite collection of rooted binary 
trees, T = {Ti,T 2 , • • •} each containing an infinite number of nodes. The entire 
set of nodes in these trees is denoted V. The edges are directed edges and every 
tree in T has one root node which has zero in-degree while all other nodes have 
in-degree equal to 1. The out-degree of all nodes, including the root, is equal to 
2. Every node in this playing board represents a key K . The roots of the trees are 
associated to the basic keys, while the internal nodes are pseudorandom keys. 
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The two children of a node represent keys Go{K) and Gi{K), the keys that 
can be obtained by applying the pseudorandom generator to the key, K, of the 
parent node. 

The root nodes of some (but not all) trees in T correspond to the unique 
keys, Ki, of all users. We refer to these special trees as user trees and denote 
the entire set of user trees by U . At any given point in time during the game, 
the root of every tree in U has one of two labels associated with it - member 
or non-member. We refer to the edges in the trees in T as tree-edges or simply 
t-edges and the entire set of t-edges in all the trees is denoted T. A t-edge from 
a node v\ to a node V2 is denoted v\ ^ V2- 

Rekey messages sent by the group center are modeled as hyperedges as fol- 
lows. A directed hyper-edge, or simply an h-edge, over nodes in V is a pair {V, u}, 

denoted V ^ v, where R is a finite subset of V and u is a single node. The h-edge 
R u is said to be incident on v. The hyperedge, {ATi, • • • , Kd\ K models a 
rekey message of the form Eki{Ek2{' ' ' •••))• Here, Ki, . . . , Kd, K can 

be either basic or derived keys (i.e., keys associated to either root or internal 
nodes), and the encryptions can be performed in any order. 

A configuration, C, of the multicast game is defined as a triple C = H), 

where Ai is the set of all member nodes, Af is the set of all non-member nodes 
and Ti. is a (finite) set of h-edges over nodes in V. The union Af U Af is always 
equal to the set of roots of the user trees in U. A configuration of the game at 
time t corresponds to the state of the group key distribution protocol at time 
t with Ad representing the set of members, Af the set of non- members and H 
the set S'o U S'! U S'2 U • • • U S't of rekey messages transmitted by C in response 
to the first t group update operations (plus an optional set Sq corresponding to 
the initial configuration of the game) . 



4.2 Defining Moves of Players 

Each move by player G in our game involves adding zero or more h-edges and 
each move by player A involves changing the label on a node labelled member to 
non-member or vice versa, or swapping a member with a non-member. Formally, 
if the game is in a configuration C = {M.,N ,'H), then 

— a move by player C changes the configuration of the game to C' = (Ad ,N,TC) 
where TC = 'H{} Ha and Ha is a finite (possibly empty) set of h-edges over 
nodes in V; 

— a move by player A changes the configuration to C = {M' ,Af' ,H) where 
either 

• Ad' = Ad \ {vm} and Af' = Af some Vm & A 4 (we call this a 

delete move and we say that the node Vm gets deleted from Ad); or 

• Ad' = Ad U{^"} Af' = Af \ {«„} for some v„ & Af (we call this an 
add move and we say that the node gets added to Ad). 

• Ad' = Ad U{^n} \ {fm} and Af' = Af \ {u„} U {vm} for some v„ G Af 
and Vm G Ad (we call this a replace move and we say that the node 
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Vm gets replaced by f„). This corresponds to a simultaneous execution 
of an add move and a delete move, and it leaves the size, \M.\, of the 
group unchanged. 

At any time instant t, a pair of moves is played, the first move being played 
by A, followed by a response by C. Associated with each player’s move is a 
cost function. The cost of a move by player C is the number of /i-edges added 
by him i.e. if a move by player C takes the game from C = to 

C = then the cost of the move is \H'\ — \H\. The cost of any move 

by player A is 1. For simplicity, we concentrate on replace operations that 
leave the size of the group unchanged (since we are interested in proving a lower 
bound, considering only replace operations only makes our result stronger). 



4.3 Defining Goals of Players 

The security notion described in Sect. 3 is easily modeled in terms of reachability 
between nodes in the hyper graph corresponding to the current configuration. 

Definition 3. A node, v G V, is called h-reachable from a set of nodes, V QV, 
under a configuration C = (At , Af, Ti) if any of the following conditions hold: 

— vGV. 

— There exists a t-edge from some node v' to v and v' is h-reachable from V. 

— For some m > 0 and a set of nodes, V = {v\,V 2 • ■ ■ ,Vm} C V, there exists 
an h-edge V ^ v in TL and each of the nodes, vi, - ■ ■ ,Vm is h-reachable from 
V. 

We write V =^c v to denote that v is /i-reachable from V under C and V yAc v 
to denote the converse. We say that v is /i-reachable from a node v' under C if 
{u'} =^c V holds; this is denoted simply by v' =^c v (similarly, v' v denotes 
that V is not /i-reachable from v' under C). If 5 is the set of rekey messages 
represented by H, the set of /i-edges in C, and K. the set of keys represented by 
V, then the set of nodes /i-reachable from V under C corresponds exactly to the 
set of keys Keys(/C U S) that can be computed from K. and S according to the 
Dolev-Yao model of abstract encryption described in Sect. 3. 

A configuration which satisfies the security constraint for group key distri- 
bution is called a secure configuration: 

Definition 4. (Secure Configuration) A configuration C = {Ai,N,Ti} is 
called a secure configuration if there exists a node, Vg G V, such that 

— Vs is h-reachable from every node in M. under C i.e. \/v G M.,v =^c Vs 

— Vs is not h-reachable from N under C i.e. N Vs 

A node, Vs, which satisfies this property is called a secret node for the corre- 
sponding secure configuration. 
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Clearly, the shared secret key at any instant of time, t, in the protocol, must be 
(represented by) one of the secret nodes for the game configuration corresponding 
to time t. 

Goals of the players can now be defined in terms of secure configurations. 
The goal of player C is that at the end of each of his moves, the game be in a 
secure configuration. The goal of player A is the converse of this i.e. at the end 
of at least one of player C’s moves, the configuration of the game is not secure. 
Our aim here is to determine the minimum cost that every player C needs to 
pay, relative to the cost paid by player A, in order to be able to attain his goal 
in the game against any player A. 



5 The Lower Bound Proof 

In this section we present our main technical result on multicast games which 
directly implies the lower bound for secure group key distribution protocols. 

5.1 Usefulness of h-edges and Canonical Graphs 

Let us fix a configuration, C = {Ai,N,Ti) in the multicast game for this entire 
subsection. An h-edge, V u, in is said to be useless under C if Af =^c v. An 
/i-edge which is not useless under C is called useful under it. By the definition 
of ^.-reachability, for every useful h-edge, U u, in H, there must exist at least 
one node in V which is not /i-reachable from Af under C. We assume an arbitrary 
total order on the set V of all nodes. For any useful ft.-edge V ^ v, the first node 
(according to the total ordering) in V which is not /i-reachable from Af (under C) 
is referred to as the canonical node of that h-edge. Canonical nodes are defined 
only for useful h-edges. 

A canonical edge, or c-edge, corresponding to a useful ft.-edge, U ^ u, is a 
simple directed edge from the canonical node, Vc, of that h-edge to v and is 
denoted Vc v. The definitions of canonical nodes and edges are both specific 
to the configuration C. 

Definition 5. Let C = {AA.,Af,'H) he a configuration of the multicast game. A 
canonical path or a c-path from a node vi to another node V2 (vi,V2 G V) under 
C, denoted v\ V2, is a path consisting of zero or more t-edges and c-edges 
such that all nodes on this path are h-reachable from v\ . 

At this point it is not clear whether a canonical path must exist from any node 
vi to any other node V2. Indeed, this does not hold for every pair (vi,V2). The 
following lemma characterizes the existence of canonical paths for certain pairs 
of nodes - a canonical path from vi to V2 must exist if V2 is /i-reachable from v\ 
but is not /i-reachable from the set N . 



Lemma 1. For any configuration C = (AA,Af,H) and any two nodes V\,V2 G V, 
if {vi} =^c V2 and Af V2, then there exists a c-path from v\ to V2 under C. 
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Proof. Let R{vi) C V denote the set of all nodes which are ^.-reachable from vi 
(here, and everywhere else in the proof, /i-reachable means ^.-reachable under 
C). Let B C R{vi) be the set of bad nodes such that for all V2 G B, V2 is not h- 
reachable from Af and yet, there exists no c-path from v\ to V 2 - Let G = R{v\)\B 
(the set of good nodes). We claim that either the set of bad nodes is empty or 
(if not so) vi is in it (i.e. B = (p or vi G B). 

Suppose this is not the case i.e. suppose that B is non-empty and it still 
doesn’t contain vi. Then for all nodes in B to be /i-reachable from v\, there 
exists some node V 2 & B such that one of the following conditions hold (i) For 

some V G G, V V2 G T; (ii) For some V C G, V ^ v G H. Since any V2 G B is 
not /i-reachable from Af, an h-edge incident on it must be useful and thus, must 
have a c-edge corresponding to it. So, if B is non-empty and doesn’t contain 
vi there must exist a t-edge or a c-edge from some node v G G to some node 
V2 G B. By the definition of B there exists no c-path from vi to such a V2- Which 
means there must not be a c-path from v\ to v as well (else joining such a path 
with the edge between v and V 2 would give us a c-path from v\ to V 2 ). At the 
same time v must not be /i-reachable from Af for that would imply Af =^c V 2 - 
Both these two conditions qualify c to be a member of B, which it is not. We, 
thus, conclude that the set B is either empty or contains the node vi. If B is an 
empty set, we’re done. If it isn’t and it contains vi, then the definition of B is 
defied since there exists a trivial c-path (with 0 edges) from vi to itself. Thus, 
the set B must be empty and the lemma holds. | 



Canonical Graphs We focus our attention on secure configurations from now 
on. Let C = {A4,Af,H) be a secure configuration with secret node Vg. By the 
definition of a secret node and by Lemma 1, for every Vm G A4 there must exist 
a canonical path from Vm to Vg ■ For every Vm G A4 select a c-path Pm = Vm 
Vg. The canonical graph for C, denoted G(C), is defined as the graph formed 
by superimposing the c-paths Pm associated to the member nodes Vm G AA. 
While superimposing paths, if there is more than one c-paths containing an 
edge between the same two nodes and if at least one of these edges is a c-edges 
then we insert a single c-edge between the nodes in G{C), and if all these edges 
are f-edges, then we insert a single t-edge between the nodes. If there is no edge 
(a c-edge or a f-edge) between any two nodes then there is no edge between them 
in G{C) also. Note that in the graph G(C), there may be more than one paths 
from any member node Vm to Vg, but only one of them corresponds (modulo 
replacement of t-edges by c-edges) to the canonical path Pm associated to Vm- 
Figure 1(a) shows a toy example of a canonical graph for a configuration with 
three members nodes {ci,C 2 ,^^ 3 } and secret node Vg. 

For each member node, Um, m Ad, we define the incidence weight of Vm in the 
graph G(C) as the number of c-edges in this graph incident on any node along 
the c-path Pm = Vm Vg. This is at least equal to the number of c-edges on the 
c-path itself. The maximum incidence weight of the graph G(C) is the maximum 
among the incidence weights of all member nodes in it. A useful property on 
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(a) (b) 



Fig. 1. Canonical Graphs : Figure (a) shows the construction of a canonical 
graph for a configuration with three member nodes {vi,V 2 ,V 3 } and secret node 
Vs- c-edges are shown by dark lines while t-edges are shown by dotted ones. Path 
Pi goes from member i to Vs- Note that there is a c-edge between V 4 and Vg 
in Pi and a t-edge between the same two nodes in P 2 ; the final graph has a 
c-edge between these nodes because of the higher precedence given to c-edges. 
In this graph, vi,V 2 and V 3 have incidence weights 3,3 and 2 respectively. Figure 
(b) shows an example of a graph that cannot be a canonical graph since the 
topmost node, Vg, has two t-edges enterring it. This restriction on t-edges will 
be crucial in proving Lemma 2. 



the maximum incidence weight of any canonical graph is given by the following 
lemma. 

Lemma 2. Let C = {A4,Af,Ti.) be a secure configuration such that \M\ = n. 
Then, any canonical graph for C has maximum incidence weight at least [log 2 n~\ . 



Proof. We shall prove something stronger than what the lemma states. We say 
that a node u G V is M' -secure under C (for some M' C M.) if N v and 
for all nodes u G A4', u =>c v. For a set At' C At and a node v which is AI'- 
secure under C, we define a sub-canonical graph for C over A4' and v, denoted 
Gc{M.' , v), as a graph formed by superimposing c-paths from nodes in At' to v, 
one c-path being selected for every node in Al'. The set of c-paths from nodes 
in M' to V used for constructing Gc(M') is denoted P{Gc{M', v)). As a special 
case, observe that any canonical graph for C is a sub-canonical graph over A1 
and Vg. 

We hypothesize that for all * > 0, if there exists a pair (Al', u') where Al' C 
At, |A1'| = i and v' is Al'-secure then for every such pair (Al', f') the maximum 
incidence weight of any graph Gc{M',v') is at least |"log 2 i]. This hypothesis 
clearly implies the above lemma. 

The proof uses an inductive argument on i. For the base case observe that 
a single node in the set A1 is a trivial sub-canonical graph with [log 2 1] = 0 
c-edges. Suppose that for some j > 1 and for all i < j, the maximum incidence 
weight of any graph, Gc{Mi,Vi), with Mi C M and |Ali| = i, if there exists 
such a graph, is at least [log 2 f]. Suppose there exists a pair (Mj,Vj) such 
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that, Mj C M, \Mj\ = j and vj is At^-secure under C. Consider the graph 
and let Vr be the (unique) node in this graph (vr may be the same 
as Vj) such that Vr has in-degree greater than 1, say m, and all nodes on the 
path from Vr to Vj have in-degree exactly 1 (By in-degree of a node we mean 
the number of c-edges and t-edges in Gc{Mj,Vj) incident on it). Since Vj is not 
/i-reachable from Af and since a c-edge is defined only for a pair of nodes both 
of which are not /i-reachable from Af, Vr must also not be /i-reachable from Af. 
Let vi,V2, • • ■ ,Vm be the nodes which point to Vr and A 4 i, M2 • • • Mm be the 
sets of member nodes in Mj for which the canonical paths to Vj go through 
vi,V2 • • ■ Vm respectively. Since Vr is not /i-reachable from Af under C, none of 
the nodes V\,V2, • ■ ■ ,Vm must be so, too. It is not hard to see that, for any 
I G {1, • • • ,m}, the graph formed by superimposing the portion of the c-paths 
from nodes in Mi upto the node vi is also a sub-canonical graph for C (over Mi 
and vi). Furthermore, there exists some I' G [m] such that \Mv \ > \j/rn\. From 
the induction hypothesis, the maximum incidence weight the graph Gc{Mi> , vi>) 
is at least [log2 (^)l- Finally, the maximum incidence weight of Gc{Mj,Vj) 
must be at least equal to the maximum incidence weight of Gc{Mi' ,vi>) plus 
the number of c-edges incident on Vr in Gc(Mj,Vj). A crucial observation is 
that there can be at most one t-edge incident on Vr, which means at least m — 1 
out of the m edges incident on it must be c-edges. Thus, the maximum incidence 
weight of Gc{Mj,Vj) is at least min^gj^-] |"log2 (^)l + m — 1 which is not less 
than riog2j'l. I 

5.2 The Main Theorem 

We consider multicast games in which the group center, C, always maintains the 
game in a secure configuration. The following theorem establishes a logarithmic 
lower bound on the amortized cost of the moves performed by C, when the moves 
of A are adversarially chosen. The lower bound holds for any initial configuration, 
and even if A only issues replace operations that do not affect the size of the 
group. This lower bound directly implies a [log2 n] lower bound on the amortized 
communication complexity of any secure group key distribution protocol. 

Theorem 1. For every strategy of player G and initial configuration {Mo,Afo, 
Ho), there exists a strategy of player A consisting 0/ replace operations only, 
such that for any t > 1 , the amortized cost, Ct, of the first t moves of G is at 
least [log2 n] — \Ho\/t, where n = |AIo| is the size of the group. In particular, 
the asymptotic amortized cost of the moves of C is 

lim Ct > [log2 n~\ . 

t — >-oo 

Proof. Let {Mi, Aft, Hi) be the sequence of configurations following each move by 
C. We know by assumption that all configurations are secure. Notice that for all i, 
H^ — X ^ Hi, and the cost of each move by C equals cx — {Hi — x|. The moves 

of A are chosen as follows. All moves are replace moves that substitute one of the 
current member nodes with a non-member node. In particular, the size of the 
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group is always equal ton= |Alo| = \M.i\- By Lemma 2 , the maximum incidence 
weight of the canonical graph, G{Ci), for any configuration Ci = 
is at least [log2 n] . Let Vi be a member node achieving the maximum incidence 
weight in G(Ci). In his zth move, player A replaces the member node Vi with a 
new node from Afi that never was a member node before. 

For the configuration, Ci, consider the graph, G{Ci), and the c-path Vi Vs 
in this graph (here, Vg is a secret node for Ci). Let Ici{ui) be the set of c-edges 
in G(Ci) which are incident on the nodes in Vi Vg and let Hc^ivi) be the 
set of (useful) h-edges corresponding (uniquely) to the c-edges in Ici{vi). The 
key observation is that once Vi gets labeled as a non- member node (and its label 
doesn’t change after that), the nodes on the c-path Vi -^Ct Vg become /i-reachable 
from the set of non-member nodes under any configuration of the game following 
Ci- This implies that all /i-edges in Hc,{vi) become (and remain) useless for all 
configurations from time i onwards, since they are incident on Vi Vg. 

Since Vi is a node with maximum incidence weight in G{Ci), there are at least 
[log2 n] c-edges in Iciivi) and an equal number of /i-edges in Hc^ivi). So, each 
time A performs a move, the number of useless h-edges increases by [log2n], 
and after t move there are at least t ■ [log2 n] useless h-edges in Ct- Clearly, the 
number of useless h-edges cannot be greater than the number of h-edges in the 
final configuration, i.e.. 



t- riog2n] < \Ht\ 



= \no\ + Y.\n,\n^-l 



2=1 

t 



— I^ol + ^ < 



where Ci is the cost of the zth move performed by C. From this, we immediately 
get the desired bound on the amortized cost of C”s moves : * > [log2 n] — 

I'KqI I 

t ■ 



6 Extensions to Our Model 

In this section, we address some of the possible extensions and modifications one 
could make to our model for secure group key distribution described in Sect. 3 . 
Some of these extensions yield models that are equivalent to the model we have 
already described while others lead to interesting open problems for the group 
key distribution problem. 

1. Allowing Message Pairs: We have proved a lower bound for protocols 
where the rekey messages sent by the group center consist of a single key en- 
crypted with multiple other keys. It is easy to see that our lower bound also 
applies to more general protocols where every rekey message can also consist of 
“pairs” of other rekey messages (i.e. protocols in which the grammar for mes- 
sages also includes a rule M ^ (M, M)). Allowing messages pairs does not affect 
communication complexity in any way. 
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2. Groups without Simultaneous Leave and Join: Our lower bound 
for group key distribution is proved using a sequence of simultaneous join and 
leave operations (which we refer to as a replace operation) performed on the 
group by an adaptive adversary. One reason for having replace operations is 
that they simplify our analysis considerably (by helping us keep the group size 
constant over time). In groups where replace operations are not allowed, the 
bound that we get using our technique is log2(n) / 2 . We remark that it is possible 
to construct a practical protocol (without replace operations) in which every 
individual join and leave can be performed at the cost of log2(n)/2 multicast 
messages and log2(n)/2 unicast messages (this can be done by combining the 
protocol of [ 3 ] with ideas from [ 13 ]). The interesting question is whether our 
bound can be extended so that it is tight even when the log2(n)/2 unicast cost 
is included in computing communication complexity or whether one can come 
up with better protocols that involve no unicast at all. We are unable to resolve 
this question at the moment and leave it open for future work. 

3. Other Cryptographic Primitives: Our model for secure group key dis- 
tribution allows the usage of iterated encryption and pseudorandom generation 
for the center’s rekey messages and the best known protocols for this problem 
also use just these cryptographic primitives. It would be interesting to find out 
if better protocols can be constructed using other cryptographic primitives (for 
eg., pseudorandom functions, secret sharing) or whether our lower bound can be 
extended to even more general classes of protocols that allow the usage of such 
primitives®. 

Analyzing Upper Bounds. The model for secure multicast key distribution we 
study in this paper can also be used to analyze upper bounds but in doing so, 
one must take care of some efficiency issues which we ignore in our framework 
(note that ignoring such issues only helps to strengthen our lower bound). For 
example, in our model, the group members can compute the shared secret key 
at any instant by looking at the rekey messages sent out in the entire history 
of the protocol. Practical protocols should require that members be able to get 
the key using just the rekey messages sent since they joined the group. Also, we 
do not address the issue of storage limitations of the users or the group center. 
In practice, the key update should be made possible not only with minimal 
communication overhead but also with minimal storage requirements for the 
users. 
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Abstract. We present a simple, natural random-oracle (RO) model 
scheme, for a practical goal, that is uninstantiable, meaning is proven 
in the RO model to meet its goal yet admits no standard-model instan- 
tiation that meets this goal. The goal in question is IND-CCA-preserving 
asymmetric encryption which formally captures security of the most com- 
mon practical usage of asymmetric encryption, namely to transport a 
symmetric key in such a way that symmetric encryption under the latter 
remains secure. The scheme is an ElGamal variant, called Hash ElGamal, 
that resembles numerous existing RO-model schemes, and on the surface 
shows no evidence of its anomalous properties. These results extend our 
understanding of the gap between the standard and RO models, and 
bring concerns raised by previous work closer to practice by indicating 
that the problem of RO-model schemes admitting no secure instantiation 
can arise in domains where RO schemes are commonly designed. 



1 Introduction 

A random-oracle (RO) model scheme is one whose algorithms have oracle access 
to a random function. Its security is evaluated with respect to an adversary with 
oracle access to the same function. An “instantiation” of such a scheme is the 
standard-model scheme obtained by replacing this function with a member of a 
polynomial-time computable family of functions, described by a short key. The 
security of the scheme is evaluated with respect to an adversary given the same 
key. In the random-oracle paradigm, as enunciated by Bellare and Rogaway 
[6], one first designs and proves secure a scheme in the RO model, and then 
instantiates it to get a (hopefully still secure) standard-model scheme. 

The RO model has proven quite popular and there are now numerous prac- 
tical schemes designed and proven secure in this model. But the important issue 
of whether such schemes can be securely instantiated, and, if so, how, remains 
less clear. This paper adds to existing concerns in this regard. Let us begin by 
reviewing previous work and then explain our results. 
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1.1 Previous Work 

Let us call a RO-model scheme uninstantiable, with respect to some underlying 
cryptographic goal, if the scheme can be proven to meet this goal in the random- 
oracle model, but no instantiation of the scheme meets the goal in question. 

Canetti, Goldreich and Halevi [8] provided the first examples of uninstan- 
tiable schemes, the goals in question being IND-CPA-secure asymmetric en- 
cryption and digital signatures secure against chosen-message attacks. Further 
examples followed: Nielsen [19] presented an uninstantiable RO-model scheme 
for the goal of non-interactive, non-committing encryption [7], and Goldwasser 
and Taumann [17] showed the existence of a 3-move protocol which, when col- 
lapsed via a RO as per the Fiat-Shamir heuristic [14], yields an uninstantiable 
RO-model signature scheme. 

The results of [8] indicate that it is possible for the RO paradigm to fail 
to yield secure “real-world” schemes. The example schemes provided by [8], 
however, are complex and contrived ones that do not resemble the kinds of 
RO schemes typically being designed. (Their schemes are designed to return 
the secret key depending on the result of some test applied to an output of 
the oracle, and they use diagonalization and GS proofs [18].) The same is true 
of the scheme of [17]. In contrast, the scheme of [19] is simple, but the goal, 
namely non-interactive, non-committing encryption, is somewhat distant from 
ones that are common practical targets of RO-model designs. Accordingly, based 
on existing work, one might be tempted to think that “in practice,” or when 
confined to “natural” schemes for practical problems commonly being targeted 
by RO-scheme designers, the RO paradigm is sound. 

This paper suggests that even this might not always be true. For a practi- 
cal cryptographic goal, we present an uninstantiable RO-model scheme that is 
simple and natural, closely resembling the types of schemes being designed in 
this domain. We begin below by discussing the goal, which we call IND-GGA- 
preserving asymmetric encryption and which arises in the domain of hybrid 
encryption. 



1.2 IND-CCA-Preserving Asymmetric Encryption 

In practice, the most common usage of asymmetric encryption is to transport a 
symmetric key that is later used for symmetric encryption of the actual data. 
The notion of an asymmetric encryption scheme AS being IND-GGA-preserving, 
that we introduce, captures the security attribute that AS must possess in order 
to render this usage of AS secure. We now elaborate. 

Encryption, in practice, largely employs the “hybrid” paradigm. The version 
of this paradigm that we consider here is quite general. In a first phase, the 
sender picks at random a “session” key K for a symmetric encryption scheme, 
encrypts K asymmetrically under the receiver’s public key to get a ciphertext 
Ca, and transfers Ca to the receiver. In a second phase, it can encrypt messages 
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of its choice symmetrically under K and transfer the corresponding ciphertexts 
to the receiver. We call this multi-message (mm) hybrid encryption.^ 

A choice of an asymmetric encryption scheme AS and a symmetric encryp- 
tion scheme SS gives rise to a particular mm-hybrid scheme. We introduce in 
Section 2 a definition of the IND-CCA security of this mm-hybrid scheme which 
captures the privacy of the encrypted messages even in the presence of an adver- 
sary allowed chosen-ciphertext attacks on both component schemes and allowed 
to choose the messages to be encrypted adaptively and as a function of the 
asymmetric ciphertext, denoted Ca above, that transports the symmetric key. 

Now let us say that an asymmetric encryption scheme AS is IND-CCA pre- 
serving if the mm-hybrid associated to AS and symmetric encryption scheme SS 
is IND-CCA secure for every IND-CCA secure SS. This notion of security for an 
asymmetric encryption scheme captures the security attribute of its being able 
to securely transport a session key for the purpose of mm-hybrid encryption. 
The goal we consider is IND-CCA-preserving asymmetric encryption. 

It is easy to see that any IND-CCA-secure asymmetric encryption scheme is 
IND-CCA preserving. (For completeness, this is proved in the full version of this 
paper [3].) IND-CCA preservation, however, is actually a weaker requirement on 
an asymmetric encryption scheme than IND-CCA security itself. In fact, since 
the messages to be encrypted using the asymmetric scheme are randomly-chosen 
symmetric keys, the encryption itself need not even be randomized. Hence there 
might be IND-CCA-preserving asymmetric encryption schemes that are simpler 
and more efficient than IND-CCA-secure ones. In particular, it is natural to 
seek an efficient IND-CCA-preserving scheme in the RO model along the lines 
of existing hybrid encryption schemes such as those of [9,10,15,20]. 



1.3 The Hash ElGamal Scheme and Its Security 

It is easy to see that the ElGamal encryption scheme [13] is not IND-CCA 
preserving. An effort to strengthen it to be IND-CCA preserving lead us to 
a variant that we call the Hash ElGamal scheme. It uses the idea underlying 
the Fujisaki-Okamoto [15] transformation, namely to encrypt under the original 
(ElGamal) scheme using coins obtained by applying a random oracle H to the 
message. Specifically, encryption of a message K under public key {q,g,X) in 
the Hash ElGamal scheme is given by 

AE^'"((g, g, X), K) = , G(X"(^)) 0 K) , (1) 



^ The term multi-message refers to the fact that multiple messages may be encrypted, 
in the second phase, nnder the same session key. The main reason for using such a 
hybrid paradigm, as opposed to directly encrypting the data asymmetrically under 
the receiver’s public key, is that the number-theoretic operations underlying popnlar 
asymmetric encryption schemes are computationally more expensive than the block- 
cipher operations underlying symmetric encryption schemes, so hybrid encryption 
brings significant performance gains. 
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where G,H are random oracles, q,2q + 1 are primes, g is a, generator of the 
order q cyclic subgroup of 'L 2 q+l^ the secret key is (q,g,x) where g^ = X. 
Decryption is performed in the natural way as detailed in Figure 1. 

The Hash ElGamal scheme is very much like practical RO-model schemes 
presented in the literature. In fact, it is a particular case of an asymmetric 
encryption scheme proposed by Baek, Lee and Kim [2,4]. 

We note that the Hash ElGamal asymmetric encryption scheme is not IND- 
GGA secure, or even IND-GPA secure, in particular because the encryption 
algorithm is deterministic. But Theorem 1 guarantees that the Hash ElGamal 
asymmetric encryption scheme is IND-GGA-preserving in the RO model, if the 
Gomputational Diffie-Hellman (GDH) problem is hard in the underlying group. 

We follow this with Theorem 2, however, which says that the Hash ElGamal 
scheme is uninstantiable. In other words, the standard-model asymmetric en- 
cryption scheme obtained by instantiating the RO-model Hash ElGamal scheme 
is not IND-GGA preserving, regardless of the choice of instantiating functions.^ 
(We allow these to be drawn from any family of polynomial-time computable 
functions.) 

1.4 A Closer Look 

As noted above, we show that no instantiation of the Hash ElGamal scheme 
is IND-GGA-preserving. The way we establish this is the following. We let AS 
be some (any) instantiation of the Hash ElGamal scheme. Then, we construct a 
particular IND-GGA-secure symmetric encryption scheme SS such that the mm- 
hybrid associated to AS and SS is not IND-GGA secure. The latter is proven by 
presenting an explicit attack on the mm-hybrid. We clarify that the symmetric 
scheme SS constructed in this proof is not a natural one. It is contrived, but not 
particularly complex. We do not view this as subtracting much from the value 
of our result, which lies rather in the nature of the Hash ElGamal scheme itself 
and the practicality of the underlying goal. 

What we suggest is interesting about the result is that the Hash ElGamal 
scheme, on the surface, seems innocuous enough. It does not seem to be mak- 
ing any “peculiar” use of its random oracle that would lead us to think it is 
“wrong.” (Indeed, it uses random oracles in ways they have been used previ- 
ously, in particular by [15,2,4].) The scheme is simple, efficient, and similar to 
other RO-model schemes out there. In addition, we contend that the defini- 
tion of IND-GGA-preserving asymmetric encryption is natural and captures a 
practical requirement. The fact that the Hash ElGamal scheme is uninstantiable 
thus points to the difficulty of being able to distinguish uninstantiable RO-model 
schemes from ones that at least may be securely instantiable, even in the context 
of natural and practical goals. 

^ This result is based on the assumption that one-way functions exist (equivalently, 
IND-CCA-secure symmetric encryption schemes exist), since, otherwise, by default, 
any asymmetric encryption scheme is IND-CCA preserving, and, indeed, the entire 
mm-hybrid encryption problem we are considering is vacuous. This assumption is 
made implicitly in all results in this paper. 
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1.5 Generalizations 

In the full version of the paper [3] we provide some results that generalize the 
above. We consider the class of IND-CCA-preserving asymmetric encryption 
schemes that possess a pair of properties that we call key verifiability and cipher- 
text verifiability. Key verifiability means there is a way to recognize valid public 
keys in polynomial time. Ciphertext verifiability means there is a polynomial- 
time procedure to determine whether a given ciphertext is an encryption of a 
given message under a given valid public key. Note that ciphertext verifiabil- 
ity contradicts IND-CPA security, but it need not prevent a scheme from being 
IND-CCA preserving, since the latter notion considers the use of the asymmetric 
scheme only for the encryption of messages that are chosen at random. 

In [3] we prove that the goal of key- verifiable, ciphertext- verifiable IND-CCA- 
preserving asymmetric encryption is achievable in the RO model, by the Hash 
El Carnal scheme in particular, assuming the CDH problem is hard in the un- 
derlying group. However, as we also prove in [3], this goal is not achievable 
in the standard model. In other words, there exist RO-model schemes meeting 
this goal, but there exist no standard-model schemes meeting it. This general- 
izes Theorem 2 because any instantiation of the Hash ElGamal scheme is key- 
verifiable and ciphertext-verifiable, and hence cannot be IND-CCA-preserving. 

In [3] we lift our results from being about a particular scheme to being about 
a primitive, or class of schemes. The generalization also helps better understand 
what aspects of the Hash ElGamal scheme lead to its admitting no IND-CCA- 
preserving instantiation. In particular, we see that this is not due to some “pe- 
culiar” use of random oracles but rather due to some simply stated properties 
of the resulting asymmetric encryption scheme itself. 



1.6 Related Work 

In the cryptographic community, the term “hybrid encryption” seems to be used 
quite broadly, to refer to a variety of goals or methods in which symmetric and 
asymmetric primitives are combined to achieve privacy. We have considered one 
goal in this domain, namely mm- hybrid encryption. We now discuss related work 
that has considered other goals or problems in this domain. 

Works such as [9,10,15,20,12,21] provide designs of IND-CCA-secure asym- 
metric encryption schemes that are referred to as “hybrid encryption schemes” 
because they combine the use of asymmetric and symmetric primitives. (Possible 
goals of such designs include gaining efficiency, increasing the size of the message 
space, or reducing the assumptions that must be made on the asymmetric com- 
ponent in order to guarantee the IND-CCA security of the construction.) The 
schemes of [9,10,15,20] are in the RO model and, although addressing a differ- 
ent goal, form an important backdrop for our work because the Hash ElGamal 
scheme is based on similar techniques and usage of random oracles. We stress, 
however, that we have no reason to believe that any of these schemes, or that of 
[2,4] of which Hash ElGamal is a special case, are uninstantiable. 
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2 Definitions 



Notation and conventions. If S' is a randomized algorithm, then [S(a;, y, . . .)] 
denotes the set of all points having positive probability of being output by S on 
inputs x,y,. . .. If a; is a binary string, then |a;| denotes its length, and if n > 1 
is an integer, then \n\ denotes the length of its binary encoding, meaning the 
unique integer £ such that < n <2^. The string-concatenation operator is 
denoted 

Formal definitions in the RO model provide as an oracle, to the algorithms 
and the adversary, a single random function R mapping {0, 1}* to {0, 1}. Schemes 
might, however, use and refer to multiple random functions of different domains 
and ranges. These can be derived from R via standard means [6]. 

Symmetric encryption. A symmetric encryption scheme SS = (SK, SE, SD) 
is specified by three polynomial-time algorithms: via K SK(l^) one can 
generate a key; via C ^ SE{K,M) one can encrypt a message M G {0,1}*; 
and via M ^ 50(711,(7) one can decrypt a ciphertext C. It is required that 
SD(AT, SE(A', M)) = M for all K G [SK(l^)] and all M G {0,1}*. We assume 
(without loss of generality) that [SK(l^)] C {0, 1}^. In the RO model, all algo- 
rithms have access to the RO. 

We define security following [5] and addressing the possibility of the sym- 
metric scheme being in the RO model. Let LR(Mo,Mi,6) = M}, if Mq,Mi are 
strings of equal length, and T otherwise. Associate to SS, an adversary S, and 
A: G N, the following experiment. 

Experiment Exp 5 '^'^g'^'^®'(fc) 

Randomly choose RO Rg '- {0, 1}* ^ {0, 1} 

K 4- SK^'’(1'=) ; {0,1} 

Run S with input 1^ and oracles SE^° (7L, LR(-, •, 6)), Rg 

Let d denote the output of S 

If d = b then return 1 else return 0. 



We say that adversary S is legitimate if it never queries SD'^" {K, •) with a cipher- 
text previously returned by SE^° (AT, LR(-, •, 6)). Symmetric encryption scheme 
SS is said to be IND-CCA secure if the function 



Adv. 



ind-cca 

SS,S 



(fc) = 2-Pr 



= 1 



- 1 



is negligible for all legitimate polynomial-time adversaries S. 



Asymmetric encryption. An asymmetric encryption scheme AS = 
(AK,AE,AD) is specified by three polynomial-time algorithms: via (pk,sk) ^ 
AK(l^) one can generate keys; via C ^ AE{pk,K) one can encrypt a message 
K G {0, 1}^; and via K ^ AD{sk,C) one can decrypt a ciphertext C. (We de- 
note the message by K because we will set it to a key for a symmetric encryption 
scheme.) It is required that AD (sk, AE(pk, K)) = K for all (pk,sk) G [AK(l^)] 
and all 7L G {0, 1}^. In the RO model, all algorithms have access to the RO. 
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Discussions and peripheral results in this paper sometimes refer to standard 
notions of security for such schemes like IND-CPA and IND-CCA, but these 
are not required for the main results and, accordingly, are not defined here but 
recalled in [3]. 

IND-CCA-preserving asymmetric encryption. We provide the formal def- 
initions first and explanations later. A multi-message hybrid (mm-hyhrid) en- 
cryption scheme is simply a pair (AS, SS) consisting of an asymmetric encryp- 
tion scheme AS = (AK,AE,AD) and a symmetric encryption scheme SS = 
(SK,SE, SD). We associate to (AS,SS), a hybrid adversary H, and A: G N, the 
following experiment. 

Experiment 

Randomly choose RO R: {0, 1}* ^ {0, 1} 

Define ROs = i?(0||-) and Ra{-) = R(l||-) 

(pJc,sk) <^AK^“ (!'=); A 4 A (l'=) ; 6 4^ {Q, 1} 

AE«“(pJc,A) 

Run H with inputs pk, Ca and 

oracles SE^»(A,LR(-,-,6)), SD^'’(A,-), AD^“(sJc, •), R 

Let d denote the output of H 

li d = b then return 1 else return 0. 



We say that adversary H is legitimate if it does not query SD'^'’(A, •) on a 
ciphertext previously returned by SE'^" (A, LR(-, •, 6)), and it does not query 
AD^“(sJc, •) on Ca- Mm-hybrid encryption scheme (AS,SS) is said to be IND- 
CCA secure if the function 



AdvktsrH(fc) = 2-Pr 



ExpktsrH(^) = 1 



- 1 



is negligible for all legitimate polynomial-time adversaries H. 

Finally, we say that an asymmetric encryption scheme AS is IND-CCA pre- 
serving if the mm-hybrid encryption scheme (AS,SS) is IND-CCA secure for 
all IND-CCA-secure symmetric encryption schemes SS. Here, the set of sym- 
metric encryption schemes over which we quantify includes RO-model ones if 
AS is a RO-model scheme, and includes only standard-model ones if AS is a 
standard-model scheme. 

Let us now explain the ideas behind these formalisms. Recall that we are mod- 
elling the security of the following two-phase scenario: in phase one, the sender 
picks a key A for symmetric encryption, asymmetrically encrypts it under the 
receiver’s public key to get a ciphertext Ca, and sends Ca to the receiver; in 
phase two, the sender symmetrically encrypts messages of its choice under A 
and transmits the resulting ciphertexts to the receiver. The definition above 
captures the requirement of privacy of the symmetrically encrypted data under 
a chosen-ciphertext attack. Privacy is formalized in terms of indistinguishability 
via left-or-right oracles, and the chosen-ciphertext attack is formalized via the 
adversary’s access to decryption oracles for both the symmetric and asymmet- 
ric schemes. The legitimacy requirement, as usual, disallows decryption queries 
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on challenge ciphertexts since they would lead to trivial adversary victory. The 
experiment reflects the possibility that SS and AS are RO-model schemes by pick- 
ing random oracles for their encryption and decryption algorithms. The standard 
model is the special case where the algorithms of the schemes do not refer to 
any oracles, and thus the definition above covers security in both models. The 
notion of AS being IND-CCA preserving reflects a valuable pragmatic require- 
ment, namely that one may use, in conjunction with AS, any symmetric encryp- 
tion scheme and be guaranteed security of the mm-hybrid under the minimal 
assumption that the symmetric scheme itself is secure. 

Remark 1. Suppose we have two RO-model schemes, and are composing them, 
or executing them in a common context. (Above, this is happening with the 
asymmetric encryption scheme and the symmetric encryption scheme.) We claim 
that, in this case, the ROs of the two schemes should be chosen independently. 
(This does not mean that we need to assume two RO oracles are given. The 
formal model always provides just one RO. But one can easily derive several 
independent ROs from a single one, as we did above.) The correctness of this 
principle of independent instantiation of ROs in a common context can be seen 
in many ways. First, it is easy to come up with an example of a pair of secure 
RO-model schemes that, when composed, yield an insecure one if the ROs in the 
two schemes are defined to be the same. Second, one can reason by analogy with 
the way we need to choose keys in composing primitives. For example, suppose 
we have a MAC and symmetric encryption scheme, each individually secure. If 
we use them to construct an authenticated-encryption scheme, we should use 
different keys for the MAC and the symmetric encryption scheme. (There is no 
reason to think otherwise that the composition will be secure.) The principle, 
for ROs, is exactly the same. They are just like keys provided to primitives. 

The existence of IND-CCA-preserving asymmetric encryption schemes is easy to 
establish since, as we show in [3], any IND-CCA-secure asymmetric encryption 
scheme is IND-CCA preserving. The interesting question is to And IND-CCA- 
preserving asymmetric encryption schemes that are more efficient than existing 
IND-CCA-secure asymmetric encryption schemes. Hash El Carnal is one such 
scheme. 

3 The HEG Scheme and Its Security in the RO Model 

In this section we introduce a variant of the ElGamal encryption scheme [13] 
that, although not IND-CCA secure, is IND-CCA preserving in the RO model 
under a standard assumption. In Section 4, we will show that this scheme admits 
no IND-CCA-preserving instantiation. 

Preliminaries. A cyclic-group generator is a randomized, polynomial-time al- 
gorithm CG which on input 1^ outputs a pair (q,g), where g is a prime such that 
p = 2q 1 is also a prime, g is a generator of the cyclic, order q subgroup (g) of 
Z*, and \p\ = k. Recall that the Computational Diffie-Hellman (CDH) problem 
is said to be hard for CG if the function 
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AK(l'=) 


AE°’^iiq,g,X),K) 


AD«’"((g,5,x),(V,W)) 


(g,g).^CG(l'=) 


y ^ H{K) 


T G{Y^) 


X 4I Z„ 


Y^gy 


K ^T®W 




T ^ G{xy) 


If = Y then 


Return {{q,g,X), {q,g,x)) 


W ^T®K 
Return (V, W) 


Return K 

else Return T Endlf 


Fig. 1. Algorithms of the RO-model asymmetric encryption scheme HEG[GG] = 


(AK,AE,AD) associated to cyclic-group generator CG. Here G: (g) {0,1}^ 

and H: {0,l}^^Zg are random oracles. 



Adv^cacW = Pr {q,g)^CG{l^)-,x,y^Z, : C{q, g, , gy) = 



is negligible for all polynomial-time cdh adversaries C. 



Scheme and result statement. To any cyclic-group generator CG we as- 
sociate the RO-model asymmetric encryption scheme HEG[CG] = (AK, AE,AD) 
whose constituent algorithms are depicted in Figure 1. (The scheme makes ref- 
erence to two ROs, namely G: {g) {0, 1}^ and H\ {0, 1}^ ^ Zg, while the 

formal definition of an asymmetric encryption scheme provides a single RO 
R: {0, 1}* ^ {0, 1}, but G, H may be implemented via R in standard ways 
[6].) We call this variant of the ElGamal encryption scheme the Hash ElGamal 
encryption scheme associated to GG. Our result about its security in the RO 
model is the following. 



Theorem 1. If the CDH problem is hard for cyclic-group generator CG, then the 
associated Hash ElGamal asymmetric encryption scheme HEG[CG] is IND-CCA 
preserving in the RO model. 

For the definition of what it means to be IND-CCA preserving, we refer the 
reader to Section 2. 

Remarks. We note that the encryption algorithm AE of HEG[GG] is determinis- 
tic. For this reason alone, HEG[GG] is not an IND-CCA secure, or even IND-CPA 
secure, asymmetric encryption scheme. Nonetheless, Theorem 1 says that it is 
IND-CCA preserving as long as the CDH problem is hard for GG. This is not a 
contradiction. Very roughly, the reason HEG[CG] can preserve IND-CCA while 
not itself being even IND-CPA is that the former notion considers the use of the 
scheme only for the encryption of messages that are symmetric keys, which (as 
long as the associated symmetric encryption scheme is secure) have relatively 
high entropy, and the entropy in these messages compensates for the lack of any 
introduced by AE. We add that previous work [9,10,15,20] has shown that in 
the RO model, relatively weak asymmetric components suffice to ensure strong 
security properties of the hybrid based on them. Thus, it is not surprising that, 
although HEG[CG] is not secure with respect to standard measures like IND-CPA 
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and IND-CCA, it is secure enough to permit its use for transport of a symmetric 
encryption key as indicated by Theorem 1. 

The full proof of Theorem 1 is in [3] . Below we provide an intuitive overview 
that highlights the main areas of novelty. 

Proof setup. Let AS = HEG[CG] and let AK,AE,AD denote its constituent 
algorithms. Let SS = (SK, SE, SD) be any IND-CCA-secure symmetric encryp- 
tion scheme. We need to show that (AS, SS) is an IND-CCA-secure mm-hybrid 
encryption scheme. 

Let ff be a polynomial-time hybrid adversary attacking (AS,SS). We will 
construct polynomial-time adversaries S and C such that 

AdvktsrH^ < Poly(fc)-poly(Adv“‘;s“'^(fc),Adv^^G"cW) + ^^- (2) 

Since SS is assumed IND-CCA secure and the CDH problem is hard for CG, 
the advantage functions related to S and C above are negligible, and thus so is 
the advantage function related to H. To complete the proof, we need to specify 
adversaries S, C for which Equation (2) is true. 

Consider Let (g, g, X) be the public key and (g, g, x) the secret 

key chosen, where X = . Let Ca = {Y, W) where Y = g^ . Let K denote the 

symmetric encryption key chosen. Let GH be the event that there is a time at 
which g^y is queried to G but K has not been queried to H; HG the event that 
there is a time at which K is queried to H but g^^ has not been queried to G; 
and Succ(H) the event that H is successful at guessing the value of its challenge 
bit b. We will construct C so that 

Pr [ GH ] < poly(/c) • AdvcG‘(c(^) + > 

and we will construct S so that 

Pr [ HG V (Succ(H) A -GH A -HG) ] < Adv^"s‘^s"“(^) + ■ (3) 

Equation (2) follows. 

The adversaries. The design of C relies mostly on standard techniques, 
and so we leave it to [3]. We turn to S. The latter gets input 1^ and oracles 
SE'^" (AT, LR(-, •, 6)), SD^"{K,-), Rs, and begins with the initializations 

((g,g,A),(g,g,x))4lAK(l'=); 

y ^ Zg ; Y ^ gy ■, W Ga^{Y,W) . (4) 

It then runs H on inputs {q, g, X),Ga, itself responding to the oracle queries of 
the latter. Its aim is to do this in such a way that the key K underlying S’s 
oracles plays the role of the quantity of the same name for H. Eventually, it 
will output what H outputs. The difficulty faced by this adversary is that H 
might query K to H . (Other oracle queries are dealt with in standard ways.) In 
that case, H expects to be returned y. (And it cannot be fooled since, knowing 
Y = gy , it can verify whether or not the value returned is y.) The difficulty for 
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S is not that it does not know the right answer — via Equation (4), it actually 
knows y — but rather that it is not clear how it would know that a query being 
made to H equals the key K underlying its oracles, so that it would know when 
to return y as the answer to a query to H . 

In order to “detect” when query K is made, we would, ideally, like a test 
that can be performed on a value L, accepting \i L = K and rejecting otherwise. 
However, it is not hard to see that, in general, such a test does not exist. ^ Instead, 
we introduce a test that has a weaker property and show that it suffices for us. 

Our test KeyTest takes input L and has access to S’s (if, LR(-, •, 6)) 
oracle. It returns a pair (dec,gs) such that: (I) If L = if then (dec,gs) = (1,6), 
meaning in this case it correctly computes the challenge bit 6, and (2) If L yf if 
then, with overwhelming probability, either dec = 0 (the test is saying L yf if) or 
(dec,gs) = (1,6) (the test is saying it does not know whether or not L = K, but 
it has successfully calculated the challenge bit anyway). With KeyTest in hand, 
S can answer a query L made to H as follows. It runs (dec,gs) KeyTest(L). 
If dec = 0, it can safely assume L yf if and return a random answer, while if 
dec = 1, it can output gs as its guess to challenge bit 6 and halt. 

A precise description and analysis of KeyTest are in [3], but we briefly sketch 
the ideas here. The algorithm has two phases. In the first phase, it repeatedly 
tests whether or not 

SD^»(T,SE^'’(if,LR(To,To,6))) = To and 
SD«»(L,SE«^(if,LR(Ti,Ti,6))) = Ti , 

where Tq,Ti are some distinct “test” messages. If any of these checks fails, it 
knows that L ^ K and returns (0,0). (However, the checks can succeed with 
high probability even if L yf if.) In the next phase, it repeatedly computes 
SD'^'’ (L, SE'^'’ (if, LR(To, Ti, 6))) and, if all these computations yield Tgs for some 
bit gs, it returns (l,gs). The analysis shows that, conditional on the first phase 
not returning (0, 0), the bit gs from the second stage equals 6 with overwhelming 
probability. 

A subtle point arises with relation to the test. Recall that H is making queries 
to SD^°(if, •). S will answer these via its own oracle of the same name. Now, 
consider the event that H queries to SD^‘{K,-) a ciphertext C generated in 
some execution of KeyTest. If S calls SD^°(if, C) to obtain the answer, it would 
immediately become an illegitimate adversary and thus forgo its advantage, since 
C is a result of a call to SE^° (if, LR(-, •, 6)) made by S via subroutine KeyTest. 
There are a few ways around this, and the one we use is to choose the initial 
“test” messages randomly so that H has low probability of being able to query 
a ciphertext C generated in some execution of KeyTest. 

® Suppose, for example, that algorithms SE,SD only depend on the first half of the 
bits of their fc-bit key. This is consistent with their being IND-CCA secure (in the 
sense that, if there exists an IND-CCA-secure symmetric encryption scheme, there 
also exists one with this property), but now, any test has probability at most 2“^^^ 
of being able to differentiate between K and a key L ^ K that agrees with K in its 
first half. 
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AK(l'') 
fk 4- {0, 

{pk,sk) ^ AK^'” (*’•)(!'=) 
Retnrn {{pk, fk), {sk, fk)) 



AE(pk,iq 
Parse pk as {pk, fk) 

C <-^' \pk,K) 

Return C 



AD(si,C) 

Parse sk as {sk, fk) 

K ^ AD^'^ <-^’-\sk,C) 
Retnrn K 



Fig. 2. Algorithms of the standard- model asymmetric encryption scheme 
AS = (AK, AE, AD) obtained by instantiating RO-model asymmetric encryption 
scheme AS = (AK, AE, AD) via poly-time family of functions F. 



We note that one might consider an alternative solution to S’s problem of 
wanting to “detect” query K to H . Namely, reply to queries to H at random, 
then, after H terminates, pick one such query L at random, decrypt a challenge 
ciphertext via L, and use that to predict the challenge bit. Unfortunately, even 
though L = K with probability l/poly(/c), the advantage over one-half obtained 
by S via the strategy just outlined could be negligible because the wrong answers 
from the wrong random choices could overwhelm the right answer that arises 
when K is chosen. 

We provide all the details and justify Equation (2) in [3]. 

4 Uninstantiability of the Hash ElGamal Scheme 

In this section we show (cf. Theorem 2) that the RO-model Hash ElGamal 
scheme admits no IND-CCA-preserving instantiation. Below we begin by de- 
tailing what we mean by instantiation of a RO-model asymmetric encryption 
scheme. This will refer to a RO-model scheme which, as per the formal defini- 
tions in Section 2, uses a single random oracle mapping {0,1}* to {0,1}. 

Instantiating RO-model asymmetric encryption schemes. A poly-time 
family of functions F associates to security parameter /c G N and key fk G 
{0, 1}™'"(^) a map •): {0, 1}* — > {0, 1}. The key length fkl of the family 

of functions is a polynomial in k. We require that there exist a polynomial t such 
that F^{fk,x) is computable in t{k |a;|) time for all A: G N, fk G {0, l}™""^^^ 
and X G {0, 1}*. 

An instantiation of a RO-model asymmetric encryption scheme AS = 
(AK, AE, AD) via family F is the standard-model asymmetric encryption scheme 
AS = (AK, AE, AD) whose constituent algorithms are illustrated in Figure 2. As 

these indicate, the public and secret keys of the original scheme are enhanced to 

^ 

also include a key fk specifying the function F (fk, •), and calls to the random 
oracle are then replaced by evaluations of this function in all algorithms. 

The uninstantiability result. The formal statement of the result is the 
following. 
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Theorem 2. Let HEG[CG] = (AK,AE,AD) be the RO-model Hash ElGamal 
scheme associated to a cyclic-group generator GG. Let HEG[CG] = (AK,AE, 
AD) he any instantiation o/HEG[CG] via a poly-time family of functions. Then 
HEG[GG] is not LND-CCA preserving. 

Proof of Theorem 2. Let F be the poly-time family of functions used in 
HEG[GG] to replace the random oracle. We will construct an IND-CCA-secure 
symmetric encryption scheme SS such that the mm-hybrid encryption scheme 
(HEG[GG],SS) is not IND-CCA secure. This proves the theorem. 

Let us say that a value pk is a (HEG[CG], /c)-waZzd public key if there exists 
a value sk such that (pk,sk) G [AK(l^)]. We first define two polynomial-time 
algorithms VfPK and VfGtxtp- which are used by SS. 

Algorithm VfPK, which we call a key verifier, takes inputs and pk, and 
outputs 1 if and only if pk is a (HEG[CG], /c)-valid public key. The algorithm 
works by parsing pk as {{q, g, X), tk), where fk G {0, 1}™, and then returning 1 
if and only if q and 2g-|-l are primes, gis a, generator of the order q cyclic subgroup 
(g) of Z2q_|_i, |2(7-|- 1| = k, and X G {g). This algorithm can be implemented 
in polynomial-time based on standard facts from computational number theory, 
and even deterministically, given the existence of polynomial-time primality tests 
[1]. We omit the details. 

Algorithm VfGtxt-p, which we call a ciphertext verifier, takes inputs 
l’^,pk,K,C, where pk is a (HEG[CG], fc)-valid public key and K G {0,1}^. It 
runs AE(pk, K) and outputs 1 if the result is C, and 0 otherwise. In other 
words, VfGtxtpf verifies whether C is indeed an encryption of message K under 
the given public key pk. This is possible because the encryption algorithm AE 
of HEG[GG] (cf. Figure 1), and hence the encryption algorithm AE of HEG[GG], 
is deterministic. 

Let SS' = (SK', SE', SD') be any standard-model IND-CCA-secure symmet- 
ric encryption scheme. (Recall an implicit assumption is that some such scheme 
exists, since otherwise all asymmetric encryptions schemes are by default IND- 
CCA preserving and the entire problem we are considering is moot.) The con- 
struction of SS is in terms of SS' and algorithms VfPK and VfGtxt-p. We use the 
notation ((-,•)) to denote an injective, polynomial-time computable encoding of 
pairs of strings as strings such that given {{Mi, M 2 )), Mi and M 2 can be re- 
covered in polynomial time. If s is a string and a < b are integers then s[a . . .b] 
denotes the string consisting of bit positions a through 6 of s. The algorithms 
constituting SS = (SK, SE, SD) are depicted in Figure 3. To conclude the proof, 
we need only establish the following propositions. 

Proposition 1. Symmetric encryption scheme SS is LND-CCA secure. 



Proposition 2. Multi-message hybrid encryption scheme (HEG[GG],SS) is not 
IND-CCA secure. 

Proof (Proposition 1). Let us first provide some intuition. Note that on input 
M, encryption algorithm SE(Ar(||AT 2 ) •) uses the encryption algorithm SE' of an 
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SK(l'“) 

K' ^ 

K2 ^ {0,1}L''/2J 
Return A''||A '2 



SE{K,M) 

k^\K\ 

K' ^ \k/2]] 

K2<-K[1+ \k/2]...k] 

C ^ SE' (K',M) 

Parse M as ((Mi, M2)) 

If the parsing fails then 
Retnrn C'\\l Endlf 
VfPK(l^Ml) 

c ^ VfCtxt5^(l^ Ml, M2) 
If (p = 1 and c = 1) then 
Retnrn C'||0 
else Return C'lll Endlf 



SD{K, C) 
k^\K\ 

K' ^ K[l... \k/2]] 

K2^ K[l+\k/2']...k] 

Parse C as C'\\d, 
where d £ { 0 , 1 } 

M' ^ SD'(A",C") 

Parse M' as ((Mi, M2)) 

If the parsing fails then 
If d = 1 then Return M' 
else Retnrn _L Endlf 
p^ VfPK(l'=,Mi) 
c ^ VfCtxtj^(l^ Ml, if, M2) 

If (d = 0 and p — I and c = 1) 
then Retnrn M' Endlf 
If (d = 1 and (p 7 ^ 1 or c 7 ^ 1)) 
then Retnrn M' Endlf 
Retnrn _L 



Fig. 3. Algorithms of the symmetric encryption scheme SS = (SK,SE, SD) for 
the proof of Theorem 2. Above, ((Mi, M 2 )) denotes an encoding of the pair of 
strings (Mi, M 2 ) as a string. 



IND-CCA-secure scheme to compute C SE'(A'(,M) and outputs C'||0 or 
C'||l, depending on whether M has some “special” form or not. The ciphertext 
ends with 0 if M parses as a pair (Mi, M2) such that algorithms VfPK, VfCtxt;p 
indicate that Mi is a (HEG[CG], /c)-valid public key and M2 G [AE(Mi, Ar(||AT2)]. 
The decryption algorithm SD(Ai(||A' 2 , •) on input C'\\d, where d is a bit, com- 
putes M' 4 — SD'(AT(, C") and returns M' only if either M' is of the special form 
and d = 0, or M' is not of this form and d = 1. Therefore, an obvious strategy 
for an adversary against SS is to query its oracle SE{K, LR(-, •, b)) on a pair of 
messages such that one of them is of this special form and the other is not. Using 
the unique decryptability of AE and the fact that K 2 is chosen at random, inde- 
pendently from the adversary’s view, we show that it cannot find such queries 
except with negligible probability. Moreover, we show that any strategy for the 
adversary can be employed by an attacker against scheme SS^ to win its game. 
Details follow. 

Let S be a legitimate polynomial-time adversary attacking SS. We will con- 
struct a legitimate polynomial-time adversary S' such that 

, (5) 

where Q is a polynomial upper bounding the total number of queries made by 
S to its different oracles. Since SS' is assumed IND-CCA secure, the advantage 
function associated to S' above is negligible, and thus so is the advantage func- 
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tion associated to S. To complete the proof, we need to specify adversary S' and 
prove Equation (5). 

Adversary S' is given input and has access to oracles SE'(AT(, LR(-, •, 6)) 
and SD'(AT(, •). Its goal is to guess the bit b. It runs S on input I^. In this process, 
S will query its two oracles SE{K, LR(-, •, 6)) and SD{K,-). To answer a query to 
the first of these oracles. S' forwards the query to its oracle SE'(R'{, LR(-, •, 6)), 
appends 1 to the oracle’s reply and returns the result to S. To answer a query 
to the second oracle. S' checks the last bit of the query. If it is 0, S' returns T to 
S. Otherwise, it removes the last bit, forwards the result to its oracle SD^(R'(, •), 
and returns the answer to S. When S outputs its guess b' , S' returns b' . 

We now analyze S' . Consider the experiment in which S' attacks SS^ We 
define the following events. 

Succ(S') : S' is successful, meaning its output equals the challenge bit b 
BadE : S makes a query to oracle SE{K, LR(-, •, b)) in which one of 
the messages can be parsed as ((Mi, M 2 )) such that Mi is a 
(HEG[CG], /c)-valid public key and M 2 G [AE(Mi,iG)] 

BadD : S makes a query to oracle SD(iG, •) that can be parsed as 
C'\\d, where d is a bit, such that SE)' {K[,C) = ((Mi, M 2 )), 
where Mi is a (HEGIGGI, /c)-valid public key and 
M 2 e 

For the experiment in which S attacks SS, we define the following event. 
Succ(S) : S is successful, meaning its output equals the challenge bit b 

We claim that if events BadE and BadD do not occur, then S' simulates 
perfectly the environment provided to S in its attack against SS. First, note 
that answers to queries to oracle SE(iG, LR(-, •, 6)) can only be off by the last 
bit. In the absence of the “bad” events, each ciphertext returned to S as a reply 
to a query to oracle SE(AT, LR(-, •, 5)) has 1 as the last bit. This is also the 
case in S’s real attack. If S queries SD(AT, •) with a ciphertext C'ljO, assuming 
events BadE and BadD do not occur. S' gives S the response it would get in 
the real attack, namely T. Since S is legitimate, if it queries oracle SD(AT, •) 
with a ciphertext C'||l, then C' must not have previously been returned by 
oracle SE'(AT(, LR(-, •, 6)). Thus S' can legitimately make query C to its oracle 
SD'(iG(, •). If M is the response, then, assuming that events BadE and BadD do 
not occur, the answer S expects is exactly M. Therefore, 

Pr [ Succ(S') ] > Pr [ Succ(S') | ^BadE A ^BadD ] - Pr [ BadE V BadD ] 

> Pr [ Succ(S) ] — Pr [ BadE V BadD ] . 

We now provide an upper bound for the probability of event BadE V BadD. Let 
qe{k) and qd{k) be the number of queries S makes to oracles SE(R', LR(-, •, 6)) 
and SD(iG, •), respectively, on input 1^. We observe that if Mi is a (HEG[GG], A:)- 
valid public key, then for any M 2 G {0, 1}*, there exists a unique K' G [SK(l^)] 
such that M 2 G [AE(Mi, iG')]. Recall that the key for oracles SE(iG, LR(-, •, 6)) 
and SD(iG, •) is K = K'^\\K 2 , where K 2 is chosen uniformly at random from 
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{0, and is independent from S’s view. Therefore, for any query made by 
S to oracle SE(A', LR(-, •, 6)), the probability that one of the messages in the 
query parses as {{Mi, M 2 )) such that Mi is a (HEG[CG], /c)-valid public key and 
M 2 G [AE(Mi,AT)] is at most Similarly, for any query C'||fi, where d 

is a bit, made by S to oracle SD(iG, •), the probability that SD'(iG(,C") = M', 
where M' parses as {{Mi, M 2 )), Mi is a (HEG[GG], /c)-valid public key and M 2 G 
[AE(Mi, iG)] is at most 1/2L^/^J. Therefore, 



Pr [ BadE V BadD ] 



2qe{k) + qdjk) 2 ■ Q{k) 

2lfe/2j - 2L'=/2J ’ 



where Q{k) = qe{k) + qd{k). Hence 



Adv^sts“(rfc/2l) = 2-Pr[Succ(S')]-l > 2 



= Adv 



ind-cca 

SS.S 



{k) 



0{Q{k)) 

2lfe/2J 



Rearranging terms gives Equation (5). 



^Pr [ Succ(S) ] 



0{Q{k))\ 

2lfe/2J ) 



Proof (Proposition 2). We define a hybrid adversary H attacking (HEG[GG], SS). 
H is given inputs pk = {{q,g,X),fk) and Ca and has access to oracles 
SE(AT, LR(-, •, b)), SD{K, ■), and AD(sk, •), where sk = {{q,g, x), fk). Its goal is to 
guess the challenge bit b. By the definition of experiment ^j{k), pk 

is a (HEG[GG], /c)-valid public key and Ca G [AE(pk, K)]. Therefore, {{pk, Ca)) is 
a message which, when encrypted with SE(AT, •), yields a ciphertext that has last 
bit 0. We observe that for any string C chosen at random from {0, \ {Ca}, 
the probability that K = AD(sk, C) is 0 (since AE{pk,K) = Ca and AE is de- 
terministic), i.e., the probability that C G [AE(pk, AT)] is 0. Hence {{pk,C)) is a 
message which, when encrypted with SE(iG, •), yields a ciphertext that has last 
bit 1. (If C ^ [AE(pk, AT)], then the last bit will be 1.) Thus, adversary H can 
construct two messages for which it can guess with probability 1 the last bit 
of the corresponding ciphertext. Using this information it can then guess the 
challenge bit. Details follow. 

Adversary H chooses C at random from {0, \ {Ca}, makes a query 
{{pk,Ca)),{{pk,C)) to oracle SE(AT, LR(-, •, 6)), parses the response as C"||d, 
where d is a bit, and returns d. The running time of H is clearly polynomial in 
k. We claim that Advj^^j^^q SS “ 1. To prove this, we consider the event 

Succ (H) : H is successful, meaning its output equals the challenge bit b 

If challenge bit 6 is 0, then the response to H’s query is a ciphertext that has 
last bit 0. If bit 6 is 1, then the response is a ciphertext that has last bit 1. Thus 

Pr[Succ(H) ] = i i = 1 . 

Hence 

Advi^l^G],SS,H(^) = 2-Pr[Succ(H)]-l = 1, 



as desired. 
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Notice that the adversary constructed in the proof of Proposition 2 does not 
make any queries to its oracles SD(AT, •) and AD(sJc, •). 



Remark 2. An interesting question at this point may be why the proof of 
Theorem 2 fails for the RO-model Hash ElGamal scheme HEG[CG] associated 
to a cyclic-group generator GG — it must, since otherwise Theorem 1 would be 
contradicted — but succeeds for any instantiation of this scheme. The answer is 
that symmetric encryption scheme SS, depicted in Figure 3 runs a ciphertext 
verifier VfGtxtp- for the asymmetric encryption scheme in question. In the case 
of the RO-model scheme HEG[CG], any ciphertext verifier must query random 
oracles G and H. But as we clarified in Section 2, SS does not have access to 
these oracles (although it might have access to its own, independently chosen 
oracle Rs), and so cannot run such a ciphertext verifier. The adversary of course 
does have access to G,H, but has no way to “pass” these objects to the encryp- 
tion algorithm of the symmetric encryption scheme. On the other hand, in the 
instantiated scheme, the keys describing the functions instantiating the random 
oracles may be passed by the adversary to the encryption algorithm of SS in 
the form of a message containing the public key, giving SS the ability to run 
the ciphertext verifier. This might lead one to ask why SS does not have oracle 
access to G,H. This is explained in Remark 1. 

As we discussed in Section 1, in [3] we provide a more general impossibility 
result. 
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Abstract. In trying to provide formal evidence that composition has se- 
curity increasing properties, we ask if the composition of non-adaptively 
secure permutation generators necessarily produces adaptively secure 
generators. We show the existence of oracles relative to which there are 
non-adaptively secure permutation generators, but where the composi- 
tion of such generators fail to achieve security against adaptive adver- 
saries. Thus, any proof of security for such a construction would need to 
be non-relativizing. This result can be used to partially justify the lack of 
formal evidence we have that composition increases security, even though 
it is a belief shared by many cryptographers. 



1 Introduction 

While there is arguably no strong theory that guides the development of block- 
ciphers such as DES and AES, there is a definite belief in the community that the 
composition of functions often results in functions that have stronger security 
properties than their constituents. This is evident as many ciphers such as DES, 
AES and MARS have a “round structure” at the heart of their constructions, 
and a large part of the ciphers’ apparent security comes from the composition 
of these rounds. 

In an attempt to understand the security benefits of composition, there have 
been several papers that have tried to quantify different ways in which the com- 
position of functions increases security properties as compared to the constituent 
functions [14,1]. A natural question along these lines is to look at functions that 
are pseudo-random from the perspective of a non-adaptive adversary, but not 
that of the standard adaptive adversary, and ask if composition of these func- 
tions necessarily provides security against adaptive adversaries. It appears that 
at least some people in the cryptographic community believe this to be true. 
In fact, recently Maurer and Pietrzak [16] have shown the cascade of two non- 
adaptively statistically -secure permutations results in an adaptively secure con- 
struction, where the cascade of two generators is the composition of the first with 
the inverse of the second. Additionally, they ask if their cascade construction can 
be proven secure in the computational setting. 

In this paper we show that there is no non-relativizing proof that compo- 
sition of functions provides security against adaptive adversaries. Thus, this 
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work falls into a general research program that demonstrates the limitations 
of black-box constructions in cryptography. Examples of such research include 
[12,19,13,5,7,6]. In the final section, we discuss how the techniques used here 
can be lifted and used on at least one other natural construction: the XOR of 
function generators. 

We note that it is not possible to strictly separate non-adaptively secure 
function generators from adaptively secure ones in the black-box model, as there 
are several black-box constructions that construct the stronger object from the 
weaker one. The first treats the non-adaptively secure generator as a pseudo- 
random number generator and then uses the construction of Goldreich, Gold- 
wasser and Micali [9] in order to construct a pseudo-random function generator. 
The second construction treats the non-adaptively secure function generator as 
a synthesizer and then constructs a function generator as described by Naor 
and Reingold in [17]. In both cases, we can go from function generators to per- 
mutation generators through the well known Luby-Rackoff construction [15]. 
However, there are several reasons why these constructions are unsatisfying: 
first, these constructions are not representative of what is done in practice to 
construct block-ciphers; second, they require calls to the non-adaptively 

secure functions generators. Therefore it is natural to ask if the more efficient 
constructions used in practice can provide adaptive security. 

Finally, since it is possible to construct adaptively secure generators from 
non-adaptively secure generators using black box techniques, this result suggests 
the possibility that one reason there may be few general theorems championing 
the general security amplification properties of compositions is that such theo- 
rems are not establishable using standard black-box proof techniques. 

1.1 Black-Box Constructions and Proofs 

Since the existence of most modern cryptographic primitives imply V yf MV , 
much of modern cryptography revolves around trying to construct more complex 
primitives from other simpler primitives that are assumed to exist. That is, if 
we assume primitives of type P exist, and wish to show that a primitive of type 
Q exists, then we give a construction C, where C{Mp) is an implementation 
of Q whenever Mp is an implementation of P. However, most constructions in 
modern cryptography are black-box. More specifically, when given a a primitive 
P, we construct a primitive Q by a construction C^, where the primitive P is 
treated as an oracle. The difference between the two constructions is that in the 
former case the construction may make use of the machine description, while in 
the latter it only treats the primitive as an oracle to be queried: it’s as if P were 
inside of a black box. 

Observe that it is not immediately clear how to prove that there can be 
no black-box construction of a primitive Q from an implementation Mp of 
a primitive P, as the implementation C and the proof of its correctness and 
security could always ignore the presence of the oracle P, and independently 
use the implementation Mp in the construction C. The notion of proving black- 
box separation results was initiated by Baker, Gill and Solovay [2], who were 
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interested in the techniques necessary to answer the V vs. MV question. Building 
on this work, Impagliazzo and Rudich [12] gave a model in which one can prove 
separations for cryptographic primitives. In their model they note that black-box 
constructions and proofs work relative to any oracle, that is they relativize, and 
therefore it is sufficient to provide an oracle O which implements a primitive P, 
but all constructions of primitive Q are not secure relative to O. Gertner, 
Malkin and Reingold [8] have shown that if one’s goal is to rule out black-box 
constructions, then a weaker type of theorem will suffice: for each black-box 
construction of primitive Q, it suffices to demonstrate an oracle O that 
implements primitive P, but for which is insecure. Our result will be of this 
flavor. 

As was stated previously, we cannot separate non-adaptive generators from 
adaptive ones, as there are black-box constructions of one from the other. How- 
ever, we show that certain constructions (those which are the composition of 
permutation generators) cannot provide provable adaptive security using black- 
box techniques. This is done by constructing an oracle for each construction that 
provides a natural representation of a non-adaptively secure permutation gener- 
ator, but where the composition of these generators is not adaptively secure. 

Finally, we note that there are several techniques that are used in cryptog- 
raphy, such as Zero-Knowledge in its many incarnations (to name but a few 
[11,10,4,18,3]) that are often used in cryptographic constructions in such a way 
that the construction, and not necessarily the technique, is non-black-box. 

1.2 Our Results 

Our main result involves permutation generators. These generators have an as- 
sociated domain-size parameter n G N that fixes the set {0, 1}” over which the 
permutations are defined. 

Theorem 1. For every polynomial m, there exists a pair of oracles relative to 
which there exist non-adaptively secure pseudo-random permutation generators 
P such that the generator P o . . . o P_ is not adaptively secure. 

m{n) 

In the theorem P o P' denotes the natural composition construction: it is the 
generator constructed by fixing the security parameter and randomly choosing 
a p G P and p' G P' and computing the permutation pop'. The construction 
P o . . . o P_ defines the generator that generates permutations over the set {0, 1}” 

m{n) 

by composing m{n) generators P. 

1.3 Preliminaries & Notations 

Let S' be a finite set, and let x Gu S denote the act of choosing an element x 
uniformly at random from S. To describe some of the probabilistic experiments 
we adopt the notation Pr[Pi;...;Pfc :: E\C] to denote the probability that if 
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random processes R\ through Rk are performed, in order, then, conditioned on 
event C, the event E occurs. 

Notation 1. Let D he any finite set, and let Qi,Q 2 C D x D be arbitrary sets 
of pairs. We define Qi o Q 2 = {(a, c)|3a, b,c € D s.t. (a, b) G Qi A (b, c) G Q 2 }- 
Generalizing this notion, for a collection of sets Qfci , • ■ • , Qk^ G D x D and for 
a vector K = {ki, km), let Qk = Qki o . . . o 



Notation 2. For any finite set D, we denote by the set of all k-tuples 
of distinct elements from D. In a slight abuse of notation, for a k-tuple d = 
(di,...,dk) G , we say x G d if there exists an i < k such that x = di. 
Additionally, for a function f of the form D ^ D, we write f{d) to denote 



Notation 3. We denote by 7T” the set of all permutations over {0, 1}”, and we 
denote by JT" the set off all functions of the form {0, 1}” ^ {0, 1}". 



1.4 Organization 

In Section 2 we introduce the standard definitions related to Pseudo-Random 
Permutation and Function Generators, the difference between adaptive and non- 
adaptive security, and we discuss how these definitions are lifted into relativized 
worlds. In Section 3 we present the oracles relative to which we will prove our re- 
sult. We show that, relative to these oracles, non-adaptively secure permutation 
generators exist, but that their composition does not provide adaptive security. 
This is done by showing that non-adaptive adversaries cannot make effective use 
of one of the oracles that an adaptive adversary can make use of. We demonstrate 
the oracles’ lack of effectiveness to the non-adaptive adversary by demonstrating 
how the oracles responses could easily be simulated by a non-adaptive adversary. 
In Section 4 we present the proofs of the combinatorial lemmas behind the sim- 
ulation just mentioned. We finish in Section 5 by discussing how the techniques 
presented can be lifted to get similar results for other constructions, such as 
those based on XOR. Finally, we discuss some directions for future work. 

2 Standard Definitions 

We use the standard, Turing machine based, uniform definitions for pseudo- 
random function generators and adversaries. 

Definition 1 (Function Ensembles). Wc call G : {0, 1}” x {0, 1}" ^ {0, 1}” 
a function generator. We say that k G {0, 1}” is a key of G, write G{k, •) as 
gk{') and say that key k chooses the function g^. Let g Gu G represent the act 
of uniformly at random choosing a key k from {0, 1}”, and then using the key k 
to choose the function gu. 
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Let £ he a polynomial, and let Af C 'N be an infinitely large set. For each 
n G Af, let G" : {0, x {0, 1}” ^ {0, 1}” be a function generator. 
We call G = {G"|n G Af} a function ensemble. Given an ensemble G, if for 
every n G Af, the function g Gu G" is a permutation, then we say G is a 
permutation ensemble. We say an ensemble G is efficiently computable if there 
exists a Turing machine M and a polynomial p such that for all sufficiently large 
n, for all x G {0, 1}" and k G {0, the Turing machine’s M{k,x) output is 
G'f{x) and M{k,x) runs in time p(ji). 

Definition 2 ((Non-) Adaptive Adversaries). An adversary. A, is a proba- 
bilistic, polynomial-time Turing machine with oracle access that outputs an ele- 
ment in {0, 1}. We denote an adversary A with access to an oracle f as AG In 
order to query an oracle f, A writes its query to a special oracle-query-tape, and 
enters a specified query request state. The response to the query is then written 
to an oracle-response-tape by the oracle, and A continues its computation. For 
accounting purposes, we assume that it takes unit time to write the response of 
the oracle to the tape, once A has entered the query state. An adversary is adap- 
tive if it can make multiple queries to the oracle, where future queries can depend 
on the results of previous queries. A non-adaptive adversary may make multi- 
ple queries to the oracle, but all queries must be made in parallel at the same 
time. Formally, the adversary is permitted to write several queries at a time to 
the oracle- query -tape. When the machine enters the specified query state, the 
response to all of the queries are written to the response tape. 



Definition 3 ((Non-) Adaptive Pseudo-Random Function Generator 
Ensembles). Let m and I be polynomials. Let G = {G”|n G N} be an efficiently 
computable function generator ensemble such that for each n the generator G" 
is of the form {0, x {0, 1}" ^ {0, !}"*("). Define T = G N}. 

We say that G is adaptively (resp. non- adaptively) secure if for all constants 
c > 0, for all adaptive (resp. non-adaptive) polynomial time adversaries A and 
for all sufficiently large n: 



Pr [AS(1") = 1] - Pr 
ke«{o,i}* re«{0,i}- 



[Af{W) = 1 ] 



< 



where the r G {0, 1}* represent the random coin-tosses made by A. 

In this work we are concerned with the above definitions, but in worlds where 
a pair of oracles (O, R) exist. We note we use a pair of oracles, as opposed to 
just one, to simplify the presentation of the proof. We extend the definitions of 
function ensembles and adaptive/non-adaptive adversaries by allowing Turing 
machines to have access to the oracles O and R. We stress that non-adaptive 
adversaries are permitted to query O and R in an adaptive manner: the non- 
adaptive restriction on oracle queries in the definition of the adversary (Defn. 
2) are only for the oracles / and g specified in the definition of pseudo-random 
function generator ensembles (Defn. 3). 
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3 The Separating Oracles for Composition 

We will construct an oracle that contains an information theoretically secure 
pseudo-random permutation generator (PRPG). By this we mean that for each 
n it will include 2" random permutations over {0, 1}”. Clearly, a non-adaptively 
secure PRPG F can be immediately constructed from such an oracle, but it is 
also clear that the same generator will be adaptively secure. Therefore, we add 
another oracle R that weakens the security of O. To help describe i?, suppose 
the construction of interest is the composition of two permutations from O, and 
suppose the adversary has access to a function g that is either a function chosen 
randomly from or tti o tt 2 for 7r2,7Ti Gu 7T”. The oracle R iteratively re- 

quests the values of yi = g{xi) for enough (but still a small number of) randomly 
chosen values Xi that it should be able to uniquely identify tti , 7T2 G O, if it is 
the case that g = tti o 7T2 . If i? determines that that there exists a tti , 7T2 G O 
such that yi = tti oTT2{xi) for each i, then it will predict a random input/output 
pair (x*,y*), where y* = tti o tt 2 {x*). Alternatively, if there is no pair of per- 
mutations in O whose composition is consistent with all of the (xi,yi) then the 
oracle rejects and outputs T. 

The oracle R provides a trivial way for an adaptive adversary to break the 
security of the composed generators: such an adversary can easily supply the 
yi = g{xi) values R requests as responses to its Xi challenges. If R returns a 
prediction (x*,y*) that is consistent with y* = g{x*) then almost surely g is 
a composition of permutations from O. In contrast, if the adversary is non- 
adaptive then the oracle R will be of essentially no use to the adversary because 
of R’s iterative nature. Therefore, it is as if R does not exist to the adversary, 
and therefore the adversary cannot use R to help identify permutations that are 
in O. 



3.1 Oracle Definitions 

Definition 4 (The Oracle O). Let O” iT” denote the process of choosing 
an indexed set of 2" random permutations from 7T” with replacement. Let OJt 
denote the kth permutation in O". Let O = {0”|n G N}. Where n is clear we 
write Ok to denote O'^. For ki,...,km G {0,1}" and K = {k\, ...,km), let Ok 
denote Ok^ o ... o Ok^- Further, for xi,...,X£ G {0,1}" and x = {x\, ...,X(), 
denote Ok{x) = y = {Ok{xi ), . . . , Ok{xe)). 



Definition 5 (Composition Construction). Let m : N ^ N be a polyno- 
mial where for every z G N, m(z) > 2. For an oracle O, for every n G N and 

(x) = Ax). Let F = U„{F"} be 



G {0,1}" 

the proposed construction for an adaptively secure PRPG. 



Definition 6 (The Oracle R). For an oracle O as described in Definition 
4 and a construction F of m compositions as described in Definition 5 we 
define the oracle R as follows. Define, with foresight, £{n) = m{n) 1. Let 
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R = i?2, ^3)} be an oracle that for each n is chosen randomly according to 

the random process and the fixed. The process is described below: 

^ xi ,.. . where {xi ,. . . £u ({0, 

R2 (1 7 5 ■ ■ ■ j ^i(n) 7 yi 7 ■ ■ ■ 7 y£{n)') ^ ^£(n) + l 7 ^i{n)-\-2 thc Xi , . . . , X£(^yi) OUtput 

by any G {0,1}""; and (x^(n)+i, a:£(n)+ 2 ) 

. . . ,xe^n)+2,yi, ■ ■ ■ ,yi(n)+2) = (x* ,y*) for the (a;^(")+i^ a;^(")+2) out- 
put by . . .,xi(n),yi, ■ ■ ■,yi(n)); any yi(ri)+i,yi(n)+2 G {0, 1}”; n &u 

{tv (/ci , . . . , ^rn(n) ) G { 0 , 1 } ^ ^ 7 ■ ■ ■ 7 ^t(n)-t- 2 ) (^/l 5 ■ ■ ■ ? yt(n)-t- 2 ) } ; 

X* &u {0, 1}”; and y* = Ok{x*). 

On all other inputs to the oracles i?i, i?2 and R3 the result is A. Finally, we de- 
R 

note by R ^ '^{O) the process of randomly choosing R given a fixed O, according 
to the random process described above for each n G N. 



3.2 The Oracle O Provides Adaptive Security 

We state, without proof, the following lemma that states that most of the oracles 
O provide a natural, adaptively secure permutation generator. 

Lemma 1. For all probabilistic, polynomial- time, adaptive adversaries A and 
for all sufficiently n: 



Pr 



Pr = ll - Pr U3’0(l") = ll 

/EwO" sewu- 

reu{0,l}* reu{0,l}* 



< 



2"/2 



> 1 - 



2"/2 ’ 



where r Gu {Oj 1}* represents the random coin-tosses of A. 



3.3 The Oracle R Breaks Adaptive Security 

Lemma 2. There exists an efficient adversary, Adv, such that for all oracle 
pairs (O, R) that could possibly be constructed, Adv breaks the adaptive security 
of F relative to O and R. 

Proof. We show that the following adversary has a significant chance of dis- 
tinguishing between the composition of m(n) functions from O and a random 
function. Note that this adversary calls / adaptively. 



Xl = {Xl, . . .,Xi(„)) ^ 

yi = {yi,-,ye(n)) ^ fixi). 

X2 (^r(n)-{-l 5 3^r(n)-t-2) ^ f? 2 (l 

V2 = {yi(n) + l,ye(n) + 2) ^ /(®2). 

If -L = R 3 {l",xi,x 2 ,yi,y 2 ) output 0. 
Otherwise output 1. 
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Fix the oracles O and R. We show that if / was chosen from F then we 
output 1 and otherwise (w.h.p.) we output 0. It is an easy observation that if 
f G F then, by the construction of Adv and R, the adversary necessarily outputs 
1. Alternatively, if f G o"' then it is easy to see by the following claim that there 
is not likely to be any key k where Ok{x) = y holds, and therefore the oracle 
R will output _L, and thus (w.h.p.) Adv will output 0. We remind the reader of 
the notation defined in Notn. 2, as it is used in the statement of the claim. 

Claim 1. For all sufficiently large n, for x = {x \, . . . , xi^n)) ^ 

Pr[/ Gu il” :: dFsT G {0, !}"-(") s.t. f{x) = Ok{x)] < 2"". 

Proof. Let S = {Ok{x)\K G {0, Clearly 151 < 2” ’”^”^ Consider 

the probability that f{x) G S, and since / Gu Fl'^ it is easy to see that this 
probability is bound by Hii”! (2" - i) < < 2"", as 

£{n) = m{n) + 1. □ 

3.4 Simulating the Oracle R for Non-adaptive Adversaries 

It needs to be shown that R does not destroy the non-adaptive security of O. We 
show that for every non-adaptive adversary with access to the oracle R we can 
construct another non-adaptive adversary that is essentially just as successful 
at breaking O, but that has no access to R. Since O is a large set of random 
permutations, it is clear that without R there can be no successful distinguishing 
adversary, and therefore there must be no successful non-adaptive adversary 
relative to R either. 

We will begin by showing that for every adversary B relative to R, there 
exists an adversary B that distinguishes nearly as well as B, but does not make 
queries to R^. This is done by having B simulate the responses of Rz- In this 
simulation there are two general cases: first, there are queries which are likely to 
be made, and in these cases it turns out that B can simulate i?s’s responses with 
only access to O. Next, there are queries that are unlikely to be made, and we 
cannot simulate i?a’s responses in these cases: we show it is incredibly unlikely 
that B will make such queries, and thus incorrect answers will not significantly 
affect the acceptance probability of B. Finally, it is then a simple observation 
that B can easily simulate R\ and i ?2 perfectly, and thus there is no need for B 
to query the oracle R. 

In order to construct B we need B to be in a normal form. First, we assume 
that an adversary never makes the same oracle query twice. Any adversary 
that does can be converted to one that does not by storing all of its previous 
oracle queries and the corresponding responses; it can then look up responses on 
duplicate queries. Next, for our adversary B, with access to a function oracle / : 
{0, 1}” ^ {0, 1}", we assume without loss of generality that always 

makes exactly T{n) combined queries to f,0 and R, for some polynomial T. 
Further, we will assume that B records all of its queries and their corresponding 
responses on its tape in a manner which is efficiently retrievable. In particular. 
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we will assume that for each k G {0,1}" there is a set Qk = |((7,r)} that 
contains all of the query /response pairs Ok{q) r that have been made; a 
set Qf = {(<7, r)| that contains all the query /response pairs to the challenge 
function, where f{q) r; and a set SR 2 that contains all the query/response 
pairs to i?2- 

Lemma 3. Let T he a polynomial. For every oracle adversary B that on input 
of size n makes T{n) queries, there exists an oracle adversary B: B on input of 
size n makes at most T{n) • m{n) oracle queries; B never queries R 3 ; and for 
all sufficiently large n it is the case that 

Pr[0 S-n-R^ If (O); / O" :: (1") yf (1")] < 5 • T{n)l2'^/‘^ 

and 

Pr[0 ^ n-R^ if(0); / (^u :: S‘^’«’^(l")] < 5 • 

Proof. Fix n. We now construct an adversary B that doesn’t make queries to 
i?3- We note that in the statement of the lemma and its proof we don’t concern 
ourselves with the random coin-tosses of -B or B. It will be obvious from the 
proof, that the random coin-tosses do not affect any of the probabilities we 
discuss, and that we could simply fix the random coin tosses of B and prove the 
theorem for each such sequence. 

We will consider a series of hybrid adversaries. Let Ai(l") be an adversary 
that runs B(l") but on the first i oracle queries rather than make an oracle 
query q it runs the sub-routine G{q) and takes the output of G{q) as the result 
of the query. Before giving the description of G we remind the reader of the 
notation defined in Notn. 1 and 2. The sub-routine G is defined below: 



G{q) 

If q is not a query to B 3 perform query q and let a be the 
oracle’s response: output a 

Otherwise q = Raixi, ...,xp„)+ 2 ,yi, ■■■,yi(n)+ 2 )- 
Xl (^X\, ..., Xpn)'} and let X 2 (.Xi;n) + l^^l(n) + 2 f 

yi = (yi, ■■■,yi(n)) and let j /2 = {yi(n)+i,yi(n)+ 2 )- 

( 6 ) If ((xi,yi),® 2 ) / SR 2 output _L. 

(7) IC = {K€ ({0, 1}" U {/})’"(") |((a.i, X 2 ), iyi,V 2 )) G Qk}. 

( 8 ) If \K,\ yf 1 output _L. 

(9) lC = {k}. 

(10) If / G fe output _L 

(11) Choose X* €u {0, 1}" and query y* <— Ok{x*). 

(12) Output (x*, j/*). 



The intuition behind G is the following: for any query q to an oracle other 
than i?3 it behaves identically to that oracle on query g; for queries to B3 it 
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will almost surely output the same result as the query to R 3 . We give a quick 
outline of the intuition for the latter case. First, in Line 6, when G outputs _L it 
is almost surely the correct answer because if (xi, j/i) has not been queried from 
i? 2 , then the probability of the adversary guessing X 2 correctly is negligible. On 
Line 8 we really have two cases: first, when |/C| = 0, it is unlikely there is a key, 
K, such that Ok{xi,X 2 ) = (yi, 2 / 2 ), and thus the response _L is almost surely 
correct; next, when |/C| > 2, and in this case G will output the incorrect answer, 
but the probability of this case occurring is negligible. The intuition for Line 10 
is really the main point behind the proof. If the adversary manages to find a key 
where it can substitute the function / for part of the key, then the simulation 
G will output an incorrect answer. However, because of the iterative nature in 
which Xi and X 2 are exposed and the adversary’s limitation of accessing / in 
a non-adaptive manner, we show that the probability of this event occurring is 
negligible. Finally, If (x*,y*) is output on Line 12 then the output is almost 
surely correct. 

We now look at the cumulative errors that can be made in the hybrid process. 
We use the following two lemmas that are proven in Section 4. 

Lemma 4. For all sufficiently large n: 

Pr[0 S-n-R^ !F(0); / O” :: l^f’^(l”) yf If ’-^’^(l")] < 5/2”/2 



Lemma 5. For all sufficiently large n: 

Pr[0 ^n-R^ F{0)- f €u iT” :: ^flf’^(l") f If ’-^’^(1”)] < 5/2"/2 

We note that by the previous two lemmas, the probabilities that B and 
^T(n)+i have differing outputs in the same experiments is less than T{n)-5 
and, since T is a polynomial, this is a negligible amount. Let B be the Turing 
machine ^T(n)+i- We note that by inspection of G, and remembering that the 
call to Ok{x*) on Line 11 of G can mask m{n) queries, H(l”) makes T{n) ■ m{n) 
queries. Further, the probability that and have differing 

outputs for the either experiment defined in Lemma 3 is less than T{n) ■ 5/2"/^. 

□ 

The last remaining step is to get rid of the queries to i?i and R 2 that are 
made by 13. We note that the results of queries to Ri and R 2 are independent 
of O and the challenge function /, and since the results of such queries are 
random bit strings, they are easy to simulate. Specifically, we consider a Turing 
machine G that executes B faithfully, but before beginning the simulation (7(1") 
will randomly select (xi, ..., Xf(„)) £u ({0,1}”)^^^"^^ During the simulation of 
H(l”), if there is a query to i?i(l"), it will respond with (xi, ..., and if 

for yi, . . . G {0, 1}" there is a query to i? 2 (l”, xi, ..., x^(n), yi, ..,y^(n)) it 

responds with ({0, 1}" \ {xi, . . . ,x^(„)}) . Note that this 

simulation is perfect. We can now prove the final result of this section. 
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Lemma 6. For every probabilistic, polynomial- time, non-adaptive adversary A 
and for all sufficiently large n: 

Pr 

oBi 
R^^(O) 

where the r G {0, 1}* represent the random coin-tosses made by A. 

Proof. Assume for contradiction that there exists a probabilistic, polynomial 
time adversary B and infinitely many n for which: 



Pr [A^’^’f{l^) = 1] - Pr = l] 

feuO" gSuii’' 



< 



2"/3 



> 1 - 



2"/2 ’ 



Pr 



R-F^iO)' 



Pr = ll - Pr 

/ewO" sewU" 

re{0,l}* refO.l}* 



= 1 ] 



1 

2"/3 



1 

2"/2 



By Lemmas 4 and 5 and the discussion following them, there exists a proba- 
bilistic, polynomial time, non-adaptive adversary C that does not query oracle 
R and infinitely many n such that: 



Pr 



R^'^tO) 



Pr 

refo.l}* 



^C'0./(1") = 1] 



Pr rc^’^ri") = ll 

refO.l}* 



> 



1 

2"/3-l 



1 

2"/2 



R 

Observing that the choices over R ^ 'F{0) have no effect and can be removed, 
this result contradicts Lemma 1. □ 



By using standard counting arguments and the previous lemma, we get the 
following theorem. 

Theorem 2. There exists a pair of oracles (O, R) where O is a non- adaptively 
secure permutation generator and where F is not an adaptively secure permuta- 
tion generator. 



4 Combinatorial Lemmas 

4.1 Unique Paths Lemma 

An essential point in proving Lemmas 4 & 5 is the following: unless an adversary 
has already determined by oracle queries to O that for a given key, K, oi F and 
f-tuples, X and y, where Ok{x) = y; then the probability that Ok{x) = y holds 
is negligible. The following lemma and its corollary formalizes this concept. 

Lemma 7 (Unique Paths Lemma). Let T, I and m be polynomials. For all 
sufficiently large uGN: let x = (a;i, ..., x^(„)), y = {yi, ...,yi(n)) G ({0,1}")^^^”^'; 
for each i € {0,1}" there is a set Qi C ({0,1}")^ such that Xli6{o i}” 1^*1 — 




200 Steven Myers 



T{n); let K = {ki, ..,km{n)) € ({0,1}")"^^”^ such that there is no i where 
(xi,yi) G Qk, then: 

Pr[0 ^ n :: Ok{x) = y\Vi, V(a,5) G Q^, 0.(a) = b] < 

Proof. We consider several cases. First, we consider the case that there exists a 
pair (o, b) G Qk such that either there exists an i s.t. Xi = a but yi ^ b or there 
exists a j s.t. yj = b but xj ^ a. In this case it is not possible for Ok{x) = y, 
so the probability is 0. 

Second, we consider the case that there exists a, ki G K where Qk^ = {}. A 
necessary condition for (a;) = y is that Ok^ (Ofei_i,...,fci(®)) = (y)- 

The probability of this event is no more than (1/(2” — 0) < (^°'- 

sufficiently large n). 

Thirdly, we consider the case where for every ki G K the corresponding set 
Qki is not empty. Because of our conditioning on the probability, for each Xi 
there exist a value kj where Ui = (xj) and Pi = kj+iiVi)^ 

but (ai,Pi) ^ Qkj, as otherwise {xi,yi) G Qk which is not permitted by the 
statement of the lemma. Therefore, the probability that Ok^iap = Pi is less 
than \-i(n) (^® subtract £{n) in the denominator as several xfs may 

have this condition occur for the same key kj.). Therefore, the probability that 
Ok(x) = y is less than Hii"? 2 ’^-\Q]\-e{n) - sufficiently large n 

(remembering |(5i| < T{n)). □ 



Corollary 1. Let T, i and m be polynomials. For all sufficiently large n G N.' let 
X = (a:i, ...,xi(n)),y = {yi, -,yi{n)) G ({0, each i G {0, 1}” there is 

a a set Qi C ({0, 1}”)^ such that X)iG{o i}" 1^*1 — ^(^)l — ({l*i 

such that for each K G KS there is no i such that {xi,yi) G Qk, then: 

Pr[0 ^ n ■.■.3K &KS s.t. Ok{x) = y|Vz, V(a,6) G Q*, O^a) = b] < 

2^n- {m{n) — £{n)) — i{n) 

Proof. This proof follows directly from Lemma 7 and a union bound over the 
probabilities of each of the keys K G KS. □ 



4.2 Proof of Lemma 4 

For the convenience of the reader, we restate Lemma 4. 

Lemma 8. For all sufficiently large n: 

Pr[0 ^n;R^ ^{Oy, f O” :: If+f’^(l”) If ^ 
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Proof. We note that in the statement of the lemma and its proof we don’t 
concern ourselves with the random coin-tosses of Ai or Ai+i. It will be obvious 
from the proof, that the random coin-tosses do not affect any of the probabilities 
we discuss, and that we could simply fix the random coin tosses of B and prove 
the theorem for each such sequence. 

We begin by proving upper-bounds on two probabilistic events that we will 
frequently want to condition on. We will frequently want to bound the probability 
that Ai+i makes any of its first i queries to Ok, where f = Ok- We will call such 
an event F. 

Claim 2. For all sufficiently large n: Pr[0 ^ II; R ^ F{0);f £u O” :: 
makes a query to Ok = f in one of the first i calls to G] < 2t/2”. 

Proof. Observe that queries to Ri and i ?2 are statistically independent of / and 
O. Further, the first i queries are all made by G, and therefore there have been 
no queries to R3. Thus the probability of making a query to Ok corresponding 
to / is no more than the probability of drawing at random the unique red ball 
from a vase of 2" balls in i draws without replacement, as there are most i 
different keys on which O can be queried. Therefore, the probability is bound 
by 1/(2” — j) < 2ijT^, for sufficiently large n. □ 

We also frequently want to bound the probability that by A^+i’s zth call to 
G two oracle queries to O (or O and /) have been made that have the same 
output. We call such queries collisions and we denote such an event by E. 

Claim 3. For all sufficiently large n: Pr[0 II; R ^ 'F{0);f Gu O" " after 
A{/?’^(1”) makes i ealls to G there exists k j G {0,1}” U {/} s.t. (a,b) G 

Proof. We note that since we are only concerned with queries made in the first 
i calls to G, there have been no queries to R3. Next, we condition on F from 
Claim 2, so query results on / and Ok for k G {0, 1}” are independent of each 
other. It can easily be observed that to maximize the probability of a collision 
the adversary should make all of its queries to different functions. The structure 
of G does not necessarily permit this, but this permits an easy upper-bound on 
the probability of a collision. Since each call to G makes at most m(n) queries, 
the probability of E can be upper-bounded by 4^ ^ (z-m(n))^/2” Since 

for sufficiently large n the probability of event F is bound by 2i!2'^, we can 
bound the probability of the claim by 2{i ■ m(n))^/2”. □ 

To prove Lemma 4, we note that any difference in executions between 
A^^’-^(l”) and Af’^’^{l^) must occur in G. We will consider the places where 
G could have an output different from that of the actual query to the oracle, 
and bound this probability. We note that this can only occur on lines 6, 8, 10 
and 12, and we bound the probability of error on each of these lines with the 
following series of claims. In order to prove the lemma we take the union bound 
of the errors from these claims. 
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Claim 4- The probability that G gives incorrect output on line 6 is less than 
for all sufficiently large n. 

Proof. The response to query q = i?3(£Ci, j/i, a;2, 2/2) will always be _L unless 
R2{xi,yi) = X2- If has not yet been queried, then it is easily seen, by the 
definition of R2, that the probability of the adversary correctly guessing X2 in its 
query to R3 is (2’*-t(ra))(2"-t(rt)-i) • sufficiently large n, this value is upper- 
bounded by ■ □ 

Claim 5. The probability that G gives incorrect output on line 8 is less than 
for all sufficiently large n. 

Proof. For this claim, we consider two separate cases: first we consider the case 
in which |/C| = 0 and next we consider the case where |/C| > 2. 

[Case \JC\ = 0]: We first show that for query i?3(a;i, £C2, 2/i, 2/2), if we let KS = 
{{ki, ...,km(n))\^is.t.{xi,yi) G then with high probability \KS\ < 

£{n) + 2. Next, we show that for each element K G KS that there is a very small 
chance that Ok{xi,X2) = (2/1, 2/2)- We then show that for K G ({0, \ 

KS that the chances that Ok{xi,X2) = (2/1, 2/2) holds is very small using the 
Unique Paths Corollary (Corollary 1). 

In order to bound (w.h.p.) the size of KS we will condition on event E 
from Claim 3 (i.e. there are no collisions). Observe that if E holds, then it is not 
possible for \KS\ > £{n) + 2, as otherwise by the pigeonhole principle there would 
be two keys, k = (ki, ..., Km(n)) and k' = (k[, ..., where for some a (1 < 

a < £(n) + 2) we would have 2/a = O^ixa) = 0^'{xa), and letting j be the largest 
index where Kj ^ k' this implies _i (a^a)) = (xa)) , 

which is a collision and thus this contradicts our conditioning on event E. 

Next, we condition on F from Claim 2 to ensure that responses for queries to 
O are statistically independent of responses for queries to /. We now bound the 
probability that for any specific key K G KS that Oi^(a;i,a;2) = (2/i)2/2)- We 
wish to consider the probability that for a key K = {k\, ...,km{n)) G KS that 
(2/1)2/2) = Ok{xx,X2). For each such key K there exists an i s.t. (xi,yi) ^ Qk 
(otherwise |/C| > 1 contradicting the case we are in) Consider the smallest j 
such that there exists a 6 G {0,1}” where (xi,b) G Qki...kj-i, and such that 
for every b' G (0, 1}” it is the case that {xi,b') ^ Qki...kj- The probability that 
Okj(b) = „_fe^(„j(2/») is less than 1/(2” - \Qkj\) < 1/(2” - i • m(n)), as at 

most i • m(n) queries have been made. Therefore, the probability there exists a 
key K G KS such that Ok(x) = y is less than ^ 

by our conditioning on E. 

For the remaining set of keys KS = ({0, l }")'”!”! \ KS the Unique Paths 
Corollary shows that the probability that there exists a key K G KS such that 
Ok{xi,X2) = (221,2/2) is no more than 

Therefore, the probability of the case when |/C| = 0 is bounded by -|_ 

W T T (for sufficiently large n), where the 

first two summands bound the probabilities of events E and F respectively. 
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[Case \JC\ > 2]: We observe that in order for \JC\ > 2 to occur, the event E of 
Claim 3 must occur at least £{n) + 2 times: there must be at least one collision 
for each y € (?/i,?/2) in order for there to be two keys Ki,K2 G 1 C such that 
( 2 / 1 ) 2 / 2 ) = Oki{xi,X 2 ) = Ok 2 {xi,X 2 ). Therefore, we can use the bound on the 
probability of E to bound the probability of incorrect output by 
(for sufficiently large n). □ 

Claim 6. The probability that G gives incorrect output on line 10 is less than 

Proof. We begin by conditioning on F, so that responses from queries to Ok, 
for k G {0, 1}", are independent of the responses of queries from /. We consider 
two exclusive cases: first, when Ai+i queries / before it queries i? 2 (®i,?/i); and 
second, when Ai+i queries R 2 {xi,y\) before it queries /. 

[Case that / was queried before i? 2 (a?i, j/i)]: The intuition behind this case 
is that the adversary needs to construct a key k = {k\, ku-i, f, ku+i, •■, fcm(n))) 
and perform queries such that {xe(^ri)+ 2 ,yi{n)+ 2 ) G We will 

argue that it is very unlikely that the queries xi(n)+i or Xi(^n )+2 were made to Ok 
for any k G {0, 1}” or / before the query i? 2 (®i,?/i). Assuming this to be true, 
a necessary condition to find a k satisfying our requirements is to make queries 
Ok{a) = (}, for a, fc G {0, 1}”, for which there exists a j, 7 G {0, 1}" such that 
there was a {(}, 7 ) G Qj at the time of the query to R 2 ■ We show this is unlikely 
as well. 

We begin by bounding the probability that there had been a query of the 
form xi(^n)+i or X((^n )+2 before the query to R 2 , Assume the query R 2 {xi,yi) was 
the jth query (j < i), then the probability that there exists & (3,k & { 0 , 1 }” such 
that (a;q„)+i,/3) G Qk,{xi(n)+ 2 , P) G Qk,{xt(n)+i,l3) G Qf or {xi(n)+ 2 , (3) G Qf 
is less than Next, we condition on that event not happening, and 

show that there is a small probability that any of the (j -I- l)st through zth 
queries are of the form Ok{a) = b, where there exists a c, u G {0, 1}" such that 
( 6 ,c) G Qv or ( 6 , c) G Qf is small. This probability can easily be bounded 
by 2 "-tm{n) Therefore, the probability of the first case is less than 

2-j-m(n) . ■^i-l-1 (»-H) ^ 2-i.m(n) . ^ 9 - 2 n /3 

2''-l(n)-2 2-^s=j 2"-s-m{n) — 2"-^(n)-2 2"-(i+l}-m(n) — ^ 

[Case i? 2 (®i,j/i) was queried before /]: In the second case when the adver- 
sary queries / it has already queried R 2 , and therefore it needs to find a key 
K = {ki, ..Ku-i, f, Ku+i, ■■■, Km{n)) such that for each t < £{n), (xt,yt) G Qk- A 
necessary condition is for there to exist an a G {0, 1}" and ys G yi such that 
(a,ys) G We show the probability of this occurring is small. We 

begin by showing it is unlikely that after the query to / there will exists an 
a, b,c,kG {0, 1}” where both (a, b) G Qf and (5, c) G Qk- Likewise, it is unlikely 
that there will exist an a G {0, 1}" and y & yi where (a,y) G Q/. If neither of 
these cases hold then, in order to satisfy our necessary condition, a query to O 
must be made after the query to / in which there exists a, b,k € { 0 , 1 }" where 
Ok{b) G yi- We show that the probability of this is also low, proving the lemma. 
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More formally, assume the query to / is the jth query. There can be at most 
i (parallel) queries made to /. The probability that the queries to / collide with 
with any previously made queries is less than 2 ^^- The probability that the 

queries to / will output a, y £ y is bound by ■ Finally, the probability 
that any queries to O after the query to / will result in y G y is less than 
2 «-(r+i)'-m(w) • Therefore, by the union bound the probability of the second case 

can easily be bound by 2 ^ -(i+iyL(n) ■ 

Therefore, for all sufficiently large n the probability that the entire claim 
holds is bound by 2 ^^ -(i+iym(n) + 2(z • m{n)Y < 2“"/^, where the 

last summand accounts for our conditioning on F. □ 

Claim 7. The prohahility that G gives incorrect output on line 12 is less than 

Proof. The only reason we may have an incorrect output on line 12 is be- 
cause the output to an actual query to £Ci, a; 2 , 2 / 1 , 2 / 2 ) is (x*,y*) for 

k£u {k£ {0, a? 2 ) = (yi, ^ 2 )}, X* £u {0, 1}" and y* = 0^{x*)-, 

whereas, G always outputs Ok{x*) for IT G Af and x* £u {0, !}”• Thus, even if 
there exists a K' G ({0, where K ^ K' and Ok'{xi,X 2 ) = (yi,y 2 ), 
there is no possibility for {x* ,Ok'{x*)) to be output by G. We show that it 
is highly unlikely that |{k G {0, aJ 2 ) = (yi,y 2 )}| > 1, and thus 

there is rarely an error in output of G on line 12. 

The result follows by conditioning on there being no collisions and then 
applying the Unique Paths Corollary. In particular, assuming E holds then our 
sets Q satisfy the requirements for the Unique Paths Corollary where KS = 
({0, !}")"*(") \ /C. Therefore, by the Unique Paths Corollary we can bound the 
probability by and we bound the probability of E by 2(z • 

m(n))^/2”. Therefore by the union bound, the probability of error is less than 
2“”/2 fQj- sufficiently large n. □ 

To finish proving Lemma 4 we simply take the union bound on the probability 
of errors in Claims 4,5,6 and 7, and this is less than 5/2”^^ proving the lemma. 

□ 



4.3 Proof of Lemma 5 

For the convenience of the reader we restate Lemma 5. 

Lemma 9. For all sufficiently large n: 

Pr[0 ^n;R^ F{Oy, f £u :: lf+f’^(l”) ^ If ’""’/(I”)] < ^ 

Proof. We note that this proof is basically the same as the proof of Lemma 4 in 
the previous section. The only portion of the proof of Lemma 4 that relied on 
the fact that / G O as opposed to f £ II was Claim 2, which defines the event 
F and bound the probability of it occurring; and those claims that conditioned 
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on the event F and then later had to add in a small probability for error in the 
case that F held. 

We remind the reader that definition of the event F is that makes 

any of its first i queries to Ok, where / = Ok- Clearly, in the experiment for 
Lemma 5 the probability of the event F is 0, as / G iT and not O. Therefore, 
the probability of error in this lemma will be smaller than that of Lemma 4. □ 

5 Other Constructions, Concluding Remarks &; Open 
Questions 

The authors note that the basic design of this oracle and the proof techniques of 
this paper can be naturally lifted to at least one other natural construction: the 
XOR of functions. The important observation is that the construction needs to 
have some natural combinatorial property that corresponds to the Unique Paths 
Lemma, and with XOR such a property exists, although the notion needs a bit 
of massaging. The authors leave the proof of this claim to a later version of this 
paper. 

The previous observation leads to the question of whether or not there is a 
simple combinatorial characterization of those constructions that require a non- 
relativizing proof technique to show they achieve adaptive security. It also leads 
to a natural quantitative question: what is the lower-bound on the number of 
calls to a non-adaptively secure function generator in an adaptively secure black- 
box construction? Recently, there has been some success in getting quantitative 
lower bounds in such black-box settings [5,6,13], and so it is conceivable one 
could be found in this setting as well. 

As mentioned in the introduction, there is currently a known upper-bound 
of 0{n/ logn) calls to a non-adaptive generator in order to achieving black-box 
adaptive security. Further, the same upper-bound is achieved by two indepen- 
dent constructions. It would be interesting to know whether or not the current 
constructions are effectively the best possible. A natural question along these 
lines is whether or not there are any constructions that would give a smaller 
upper-bound. 
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Abstract. We propose a simple and efficient construction of a CCA- 
secure public-key encryption scheme from any CPA-secure identity-based 
encryption (IBE) scheme. Our construction requires the underlying IBE 
scheme to satisfy only a relatively “weak” notion of security which is 
known to be achievable without random oracles; thus, our results pro- 
vide a new approach for constructing CCA-secure encryption schemes in 
the standard model. Our approach is quite different from existing ones; 
in particular, it avoids non-interactive proofs of “well-formedness” which 
were shown to underlie most previous constructions. Furthermore, ap- 
plying our conversion to some recently-proposed IBE schemes results in 
CCA-secure schemes whose efficiency makes them quite practical. 

Our technique extends to give a simple and reasonably efficient method 
for securing any binary tree encryption (BTE) scheme against adaptive 
chosen-ciphertext attacks. This, in turn, yields more efficient CCA-secure 
hierarchical identity-based and forward-secure encryption schemes in the 
standard model. 



Keywords: Chosen-ciphertext security, Forward-secure encryption, Identity- 
based encryption. Public-key encryption. 

1 Introduction 

Security against adaptive chosen-ciphertext attacks (i.e., “CCA security”) is 
a strong and very useful notion of security for public-key encryption schemes 
[rs91, ddnOO, bdpr98] . This notion is known to suffice for many applications of 
encryption in the presence of active attackers, including secure communication, 
auctions, voting schemes, and many others. Indeed, CCA security is commonly 
accepted as the security notion of choice for encryption schemes that are to be 
“plugged in” to a protocol running in an arbitrary setting; see, e.g., [s98]. 

However, there are only a handful of known public- key encryption schemes 
that can be proven CCA-secure in the standard model (i.e., without the use of 
heuristics such as random oracles). In fact, only two main techniques have been 

* Work supported by NSF Trusted Computing Grant #ANI-0310751. 



C. Cachin and J. Camenisch (Eds.): EUROCRYPT 2004, LNCS 3027, pp. 207-222, 2004. 
© International Association for Cryptologic Research 2004 




208 



Ran Canetti, Shai Halevi, and Jonathan Katz 



proposed for constructing such cryptosystems. The first follows the paradigm 
of Naor and Yung [ny90] (later extended by Sahai [s99] and simplified by Lin- 
dell [l03]), and the related scheme of Dolev, Dwork, and Naor [ddnOO]. This 
technique uses as building blocks any CPA-secure public-key encryption scheme 
(i.e., any scheme secure against chosen-plaintext attacks [gm84]) along with any 
non-interactive zero-knowledge (NIZK) proof system [bfm88, fls90]; in turn, 
each of these primitives may be constructed using any family of trapdoor per- 
mutations. The encryption schemes resulting from this approach, however, are 
highly inefficient precisely because they employ NIZK proofs which in turn use a 
generic Karp reduction from an instance of the encryption scheme to an instance 
of some NP-complete problem. Furthermore, there are currently no known ef- 
ficient NIZK proof systems even under specific assumptions and for particular 
cryptosystems of interest. Thus, given current techniques, this methodology for 
constructing CCA-secure cryptosystems serves as a “proof of feasibility” but 
does not lead to practical constructions. 

The second technique is due to Cramer and Shoup [cs98, CS02], and is based 
on algebraic constructs with particular homomorphic properties (namely, those 
which admit “smooth hash proof systems”; see [cs02]). Algebraic constructs 
of the appropriate type are known to exist based on some specific assumptions, 
namely the hardness of the decisional Diffie-Hellman problem [cs98] or the hard- 
ness of deciding quadratic residuosity or residuosity in certain groups [cs02]. 
More efficient schemes following the same basic technique have been given re- 
cently [gl03, CS03], and the technique leads to a number of possible instantia- 
tions which are efficient enough to be used in practice. 

Interestingly, as observed by Elkind and Sahai [es02], both of these tech- 
niques for constructing CCA-secure encryption schemes can be viewed as spe- 
cial cases of a single paradigm. In this, more general paradigm (informally) one 
starts with a CPA-secure cryptosystem in which certain “ill-formed” ciphertexts 
are indistinguishable from “well-formed” ones. A CCA-secure cryptosystem is 
then obtained by having the sender include a “proof of well-formedness” for the 
transmitted ciphertext. Both NIZK proofs and smooth hash proof systems were 
shown to meet the requirements for these proofs of well-formedness, and thus all 
the schemes mentioned above (with the possible exception of [ddnOO]) may be 
viewed as instantiations of a single paradigm. 

1.1 Our Contributions 

We propose a new approach for constructing CCA-secure public-key encryp- 
tion schemes. Instead of using “proofs of well-formedness” as in all previous 
schemes, we instead give a direct construction using identity-based encryption 
(IBE) schemes satisfying a “weak” notion of security. A number of IBE schemes 
meeting this weak notion of security in the standard model were recently pro- 
posed (see below); thus, our approach yields new constructions of CCA-secure 
encryption in the standard model. The resulting schemes are simple and reason- 
ably efficient, and are quite different from the ones described above. In particu- 
lar, they do not seem to fit within the characterization of Elkind and Sahai. We 
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remark that our techniques may also be used to construct a non-adaptive (or 
“lunchtime”) CCAl-secure encryption scheme [ny90, ddnOO, bdpr98] based on 
any weak IBE scheme; interestingly, our conversion in this case adds (essentially) 
no overhead to the original IBE scheme. 

Before sketching our construction, we first recall the notion of IBE. The con- 
cept of identity-based encryption was introduced by Shamir [s84], and provably- 
secure IBE schemes (in the random oracle model) were recently demonstrated 
by Boneh and Franklin [bfOI] and Cocks [cOl]. An IBE scheme is a public-key 
encryption scheme in which, informally, any string (i.e., identity) can serve as 
a public key. In more detail, a trusted private-key generator (PKG) initializes 
the system by running a key-generation algorithm to generate “master” public 
and secret keys. The public key is published, while the PKG stores the secret 
key. Given any string id G {0, 1}* (which can be viewed as a receiver’s identity), 
the PKG can derive a “personal secret key” SKid- Any sender can encrypt a 
message for this receiver using only the master public key and the string id. The 
resulting ciphertext can be decrypted using the derived secret key SKid, but the 
message remains hidden from an adversary who does not know SKid even if that 
adversary is given SKid' for various identities id' id. 

In the definition of security for IBE given by Boneh and Franklin [bfOI], 
the adversary is allowed to choose the “target identity” {id in the above discus- 
sion) in an adaptive manner, possibly based on the master public key and any 
keys SKid' the adversary has obtained thus far. Boneh and Franklin construct 
a scheme meeting this definition of security based on the bilinear Diffie-Hellman 
(BDH) assumption in the random oracle model. A weaker notion of security 
for IBE, proposed by Ganetti, Halevi, and Katz [chkOS], requires the adversary 
to specify the target identity before the public-key is published; we will refer 
to this notion of security as “weak” IBE. Ganetti, et al. [chk03] show that a 
weak IBE scheme can be constructed based on the BDH assumption in the stan- 
dard model. Goncurrent with the present work, more efficient constructions of 
weak IBE schemes in the standard model (including one based on the BDH as- 
sumption) were given by Boneh and Boyen [bb04]. Both of the above-mentioned 
constructions of weak IBE based on the BDH assumption build on earlier work 
of Gentry and Silverberg [gs02]. 

Our construction of GGA-secure encryption requires only an IBE scheme 
satisfying the weaker notion of security referred to above. The conversion of 
any such IBE scheme to a GGA-secure public-key encryption scheme proceeds 
as follows: The public key of the new scheme is simply the master public key 
of the IBE scheme, and the secret key is the corresponding master secret key. 
To encrypt a message, the sender first generates a key-pair {vk, sk) for a one- 
time strong signature scheme, and then encrypts the message with respect to the 
“identity” vk. (A “strong” signature scheme has the property that it is infeasible 
to create new valid signature even for previously-signed messages.) The resulting 
ciphertext C is then signed using sk to obtain a signature a. The final ciphertext 
consists of the verification key vk, the IBE ciphertext C , and the signature cr. 
To decrypt a ciphertext (vk,C,a), the receiver first verifies the signature on C 
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with respect to vk, and outputs _L if the verification fails. Otherwise, the receiver 
derives the secret key SKyk corresponding to the “identity” vk, and uses SKyk 
to decrypt the ciphertext C as per the underlying IBE scheme. 

Security of the above scheme against adaptive chosen-ciphertext attacks can 
be informally understood as follows. Say a ciphertext {vk, C, a) is valid if cr is a 
valid signature on C with respect to vk. Now consider a “challenge ciphertext” 
c* = (vk*,C*,a*) given to the adversary. Any valid ciphertext c = (vk,C,a) 
submitted by the adversary to a decryption oracle (implying c yf c*), must have 
vk yf vk* by the (strong) security of the one-time signature scheme. The crux of 
the security proof then involves showing that (weak) security of the IBE scheme 
implies that decrypting c does not give the adversary any further advantage in 
decrypting the challenge ciphertext. Intuitively, this is because the adversary 
would be unable to decrypt the underlying ciphertext C* even if it had the 
secret key SKyk corresponding to vk (since vk yf vk*, and C* was encrypted for 
“identity” vk* using an IBE scheme). 

A simple modification of the above gives a (non-adaptive) CCAl-secure 
scheme with virtually no overhead compared to the original IBE scheme. Namely, 
replace the verification key vk by a randomly-chosen string r G {0, 1}^ (and 
forego any signature); the resulting ciphertext is simply (r,C), where C is en- 
crypted with respect to the “identity” r. Since an adversary cannot guess in 
advance which r a sender will use, an argument similar to the above shows that 
this scheme is secure against non-adaptive chosen-ciphertext attacks. 

Straightforward implementation of the above ideas using the “weak IBE” 
construction from [chkOS] is still rather inefficient; in particular, decryption re- 
quires computation of (roughly) one bilinear mapping per bit of the verification 
key. (Using standard hashing techniques, however, one can obtain a signature 
scheme in which the length of the verification key is exactly the security param- 
eter.) One can somewhat optimize this construction by working with trees of 
high degree instead of binary trees as in [chk03] . Specifically, using a tree of de- 
gree d results in a scheme requiring n/ log 2 d mapping computations for an n-bit 
verification key; in this case we pay for these savings by having to increase the 
key size by a factor of d. (We speculate that using d = 16 results in a “borderline 
practical” scheme.) Alternatively, using one of the weak IBE schemes proposed 
by [bb04] results in a considerably more efficient scheme, including one which is 
nearly as efficient as the Cramer-Shoup cryptosystem [cs98]. 

Further extensions and applications. Canetti, Halevi, and Katz [chk03] 
propose the notion of binary tree encryption (BTE), show how to construct a 
secure BTE scheme in the standard model, and furthermore show how to con- 
struct both hierarchical IBE (HIBE) schemes [hl02, GS02] and forward-secure 
encryption (FSE) schemes starting from any BTE scheme, again in the standard 
model. To obtain security against chosen-ciphertext attacks in each of these 
cases, they suggest using the technique of Naor and Yung [ny90] as adapted 
by Sahai and Lindell [s99, l03]. This involves the use of NIZK proofs, as noted 
above, which makes the resulting CCA-secure schemes highly inefficient. 
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Here, we extend our technique to obtain a simple conversion from any CPA- 
secure BTE scheme to a CCA-secure BTE scheme. The resulting BTE scheme is 
considerably more efficient than a scheme derived using the previously-suggested 
approach (based on NIZK); furthermore, the efficiency gain carries over immedi- 
ately to yield improved constructions of CCA-secure HIBE and FSE schemes as 
well. Our techniques may also be used directly to convert any CPA-secure HIBE 
scheme to a CCA-secure HIBE scheme, with possibly improved efficiency. 

Implications for “black-box” separations. Our construction of a CCA- 
secure encryption scheme from any weak IBE scheme is black box in the sense 
that it only uses the underlying IBE scheme by invoking its prescribed interface 
(and not, for example, by using the circuit which implements the scheme). A 
recent result of Aiello, et al. [agmm04] rules out certain classes of black-box 
constructions of CCA-secure encryption schemes from CPA-secure ones. Com- 
bined with their result, the current work rules out the same classes of black-box 
constructions of IBE from CPA-secure encryption. 

Although a result of this sort should not be viewed as a strict impossibility 
result (after all, the known constructions of CCA-secure encryption schemes 
based on trapdoor permutations [ddnOO, s 99] rely on NIZK and are inherently 
non-black box) , it does rule out certain techniques for constructing IBE schemes 
based on general assumptions. 

Related work. In recent and independent work, MacKenzie, Reiter, and Yang 
[mry04] introduce the notion of tag-based non-malleability (tnm), give efficient 
constructions of “tnm-cca-secure” cryptosystems in the random oracle model, 
and show how to construct a CCA-secure cryptosystem from any tnm-cca-secure 
scheme. Interestingly, their conversion from tnm-cca security to (full) CCA se- 
curity uses a one-time signature scheme in essentially the same way that we do. 
Viewed in the context of their results, our results of Section 3 give an efficient 
construction of a tnm-cca-secure scheme from any weak IBE scheme, and imply 
an efficient and novel construction of a tnm-cca-secure scheme in the standard 
model. Our results of Section 4 have no counterpart in [mry04] . 

2 Definitions 

2.1 Public-Key Encryption 

Definition 1. A public-key encryption scheme PKE is a triple o/ppt algorithms 
(Gen,£,T>) such that: 

— The randomized key generation algorithm Gen takes as input a security pa- 
rameter 1^ and outputs a public key PK and a secret key SK. We write 
{PK, SK) ^ Gen(R). 

— The randomized encryption algorithm £ takes as input a public key PK and 
a message m € {0, 1}*, and outputs a ciphertext C . We write C ^ £pK{rn). 

— The decryption algorithm T> takes as input a ciphertext C and a secret key 
SK. It returns a message m G {0,1}* or the distinguished symbol _L. We 
write m <— T>sk{C). 
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We require that for all {PK,SK) output by Gen, all m G {0,1}*, and all C 
output by £pK{m) we have T>sk{C) = m. 

We recall the standard definition of security against adaptive chosen- 
ciphertext attacks (cf. [bdpr98]). 

Definition 2. A public-key encryption scheme PKE is secure against adaptive 
chosen-ciphertext attacks (i.e., “CCA-secure”) if the advantage of any ppt ad- 
versary A in the following game is negligible in the security parameter k: 

1. Gen(l^) outputs (PK,SK). Adversary A is given and PK. 

2. The adversary may make polynomially-many queries to a decryption oracle 
'Dsk{')- 

3. At some point, A outputs two messages mo,mi with |too| = \m\\. A bit 
b is randomly chosen and the adversary is given a “challenge ciphertext” 
C* ^ £pK{mb). 

4- A may continue to query its decryption oracle T>sk{') except that it may not 
request the decryption of C* . 

5. Finally, A outputs a guess b' . 

We say that A succeeds if b' = b, and denote the probability of this event by 
PrA.PKE[Succ]. The adversary’s advantage is defined as |Pryi.pKE[Succ] — 1/2|. 

2.2 Identity-Based Encryption 

In an IBE scheme, an arbitrary identity (i.e., bit string) can serve as a public 
key once some master parameters have been established by a (trusted) private 
key generator (PKG). We review the definitions of Boneh and Franklin [bfOI]. 

Definition 3. An identity-based encryption scheme IBE is a 4~tuple of ppt al- 
gorithms (Setup, Der, £, U) such that: 

— The randomized setup algorithm Setup takes as input a security parameter 
and a value I for the identity length. It outputs some system-wide parameters 
PK along with a master secret key msk. (We assume that k and £ are implicit 
in PK.) 

— The (possibly randomized) key derivation algorithm Der takes as input the 
master key msk and an identity ID G {0,1}^. It returns the corresponding 
decryption key SKjp>. We write SKip ^ Dermsk(dD). 

— The randomized encryption algorithm £ takes as input the system-wide pub- 
lic key PK, an identity ID G {0, 1}^, and a message m G (0, 1}*; it outputs 
a ciphertext C. We write C ^ £pK{ID,m). 

— The decryption algorithm V takes as input an identity ID, its associated 
decryption key SKjd, and a ciphertext C. It outputs a message m G (0, 1}* 
or the distinguished symbol _L. We write m <— T>skio(^D,C). 

We require that for all {PK, msk) output by Setup, all ID G (0, 1}^, all SKju 
output by Dermsk(dZJ), all m G {0, 1}*, and all C output by £pK{ID,m) we have 
'Dskid{ID, C) = m. 
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We now give a definition of security for IBE. As mentioned earlier, this def- 
inition is weaker than that given by Boneh and Franklin and conforms to the 
“selective-node” attack considered by Canetti, et al. [chk03]. Under this defi- 
nition, the identity for which the challenge ciphertext is encrypted is selected 
by the adversary in advance (i.e., “non-adaptively” ) before the public key is 
generated. An IBE scheme satisfying this definition suffices for our purposes. 
Furthermore, schemes satisfying this definition of security in the standard model 
are known [chk03, bb04]. (For the case of the original definition of Boneh and 
Franklin, only constructions in the random oracle model are known.) 

Definition 4. An identity-based scheme IBE is secure against selective-identity, 
chosen-plaintext attacks if for all polynomially-bounded functions £{•) the advan- 
tage of any ppt adversary A in the following game is negligible in the security 
parameter k: 

1. A(l^,(.{k)) outputs a target identity ID* G {0,1}^^^^. 

2. Setup(l^,£(fc)) outputs (PAT, msk). The adversary is given PK. 

3. The adversary A may make polynomially-many queries to an oracle 
Dermsk(-)> except that it may not request the secret key corresponding to the 
target identity ID* . 

4- At some point, A outputs two messages mo,mi with \mo\ = \mi\. A bit 
b is randomly chosen and the adversary is given a “challenge ciphertext” 
C* ^ Spk{ID* , mb). 

5. A may continue to query its oracle Dermsk(')> request the 

secret key corresponding to the identity ID* . 

6. Finally, A outputs a guess b' . 

We say that A succeeds if b' = b, and denote the probability of this event by 
PrA.iBE[Succ]. The adversary’s advantage is defined as |PryuBE[Succ] — 1/2|. 

The above definition may be extended in the obvious way to encompass 
security against (adaptive) chosen-ciphertext attacks. In this case, in addition 
to the game as outlined above, the adversary now additionally has access to 
an oracle T>{-) such that T>{C) returns where SKip* is the secret 

key associated with the target identity ID* (computed using Dermsk(dD*)).^ As 
usual, the adversary has access to this oracle throughout the entire game, but 
cannot submit the challenge ciphertext C* to T>. 

2.3 Binary Tree Encryption 

Binary tree encryption (BTE) was introduced by Canetti, Halevi, and Katz 
[chk03] , and may be viewed as a relaxed variant of hierarchical identity-based 
encryption (HIBE) [hl02, GS02] in the following sense: in a BTE scheme, each 
node has two children (labeled “0” and “1”) while in a HIBE scheme, each node 

® Note that decryption queries for identities ID' A ID* are superfluous, as A may 
make the corresponding Der query itself and thereby obtain SKjjyi. 
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has arbitrarily-many children labeled with arbitrary strings. Although BTE is 
seemingly weaker than HIBE, it is known [chkOS] that a BTE scheme supporting 
a tree of depth polynomial in the security parameter may be used to construct 
a full-fledged HIBE scheme (and thus, in particular, an ID-based encryption 
scheme). We review the relevant definitions of Canetti, et al. [chkOS]. 

Definition 5. A binary tree encryption scheme BTE is a 4~tuple of ppt algo- 
rithms (Setup, Der, £, U) such that: 

— The randomized setup algorithm Setup takes as input a security parameter 
and a value £ representing the maximum tree depth. It outputs some system- 
wide parameters PK along with a master (root) secret key SKg. (We assume 
that k and I are implicit in PK and all secret keys.) 

— The (possibly randomized) key derivation algorithm Der takes as input the 
name of a node w € {0, 1}^^ and its associated secret key SK^. It returns 
secret keys SKyjQ, SKyji for the two children ofw. 

— The randomized encryption algorithm E takes as input PK, the name of a 
node w G {0, 1}-^, and a message m, and returns a ciphertext C . We write 
C ^ £pK{w,m). 

— The decryption algorithm T> takes as input the name of a node w G {0, 1}-^, 
its associated secret key SK^, and a ciphertext C. It returns a message m 
or the distinguished symbol _L. We write m <— T>sKu,{wtC). 

We require that for all {PK, SK^) output by Setup, any w G {0, 1}-^ and any 
correctly-generated secret key SK^j for this node, any message m, and all C 
output by £pK{w,m) we have Vsk„,{w,C) = m. 

The following definition of security for BTE, due to [chk03] , is weaker than 
the notion of security originally considered by Gentry and Silverberg [gs02]. 
As in the definition of security for ID-based encryption given in the previous 
section, the following definition refers to a “non-adaptive” selection of the node 
for which the challenge ciphertext is encrypted. Again, however, this definition 
suffices for our application, and a construction meeting this definition of security 
in the standard model is known [chk03]. (In contrast, a construction meeting 
the stronger security definition of [gs02] is known only in the random oracle 
model and only for trees of constant depth). 

Definition 6. A binary tree encryption scheme BTE is secure against selective- 
node, chosen-plaintext attacks if for all polynomially-bounded functions £{■) the 
advantage of any ppt adversary A in the following game is negligible in the 
security parameter k: 

1. A{l^,£{k)) outputs a node label w* G {0,1}-^^^^. 

2. Setup(l^, f(fc)) outputs {PK, SKg). In addition, algorithm Der(- • •) is used 
to generate the secret keys of all the nodes on the path P from the root 
to w* , and also the secret keys for the two children of w* (if\w*\ < £). The 
adversary is given PK and the secret keys {SK^} for all nodes w of the 
following form: 




Chosen-Ciphertext Security from Identity-Based Encryption 215 



- w = w'b, where w'b is a prefix of w* and b G {0, 1} (i.e., w is a sibling of 
some node in P ); 

- w = w*0 or w = w*l (i.e., w is a child of w* ; this assumes |w*| < £). 

Note that this allows the adversary to compute SK^’ for any node w' G 
{0, that is not a prefix of w* . 

3. At some point, A outputs two messages mo,mi with \mo\ = \m\\. A bit 
b is randomly chosen and the adversary is given a “challenge ciphertext” 
C* ^ SpK{w*,mb). 

4 . Finally, A outputs a guess b' . 

We say that A succeeds if b' = b, and denote the probability of this event by 
PrA.BTE[Succ] . The adversary’s advantage is defined as |Pr^^BTE[Succ] — 1/2|. 

A BTE scheme meeting the above definition of security will be termed “secure 
in the sense of SN-CPA”. The above definition may also be extended in the 
natural way to encompass security against (adaptive) chosen-ciphertext attacks. 
(We refer to schemes meeting this definition of security as “secure in the sense 
of SN-CCA”.) Such a definition can be found in [chk03], and we describe it 
informally here: the above game is modified so that the adversary additionally 
has access to an oracle T> such that T>{w, C) first computes the secret key 
for node w (using SK^ and repeated calls to to Der); the oracle then outputs 
TO ^ T>sk„, {w, C). The adversary has access to this oracle throughout the entire 
game, but may not query T>(w* ,C*) after receiving the challenge ciphertext C* 
(we stress that the adversary is allowed to query V{w,C*) for w ^ w* , as well 
as V{w*,C) for Cyf C*). 

3 Chosen-Ciphertext Security from ID-based Encryption 

Given an ID-based encryption scheme II' = (Setup, Der, P') secure against 
selective-identity chosen-plaintext attacks, we construct a (standard) public-key 
encryption scheme II = {Qen,S,T>) secure against chosen-ciphertext attacks. In 
the construction, we use a one-time signature scheme Sig = (5, Sign, Vrfy) in 
which the verification key output by tJ(I^) has length £s{k). We require that 
this scheme be secure in the sense of strong unforgeability (i.e., an adversary is 
unable to forge even a new signature on a previously-signed message). We note 
that such a scheme may be based on any one-way function [l79, r90] so, in 
particular, such a scheme exists given the existence of 77'. The construction of 
77 proceeds as follows: 

— Gen(l^) runs Setup(l^, 7s(fc)) to obtain (P77, msk). The public key is PK 
and the secret key is msk. 

— To encrypt message to using public key PK, the sender first runs 5(1^) to 
obtain verification key vk and signing key sk (with |w7| = £s(k)). The sender 
then computes C ^ £'pj^{vk, to) (i.e., the sender encrypts m with respect to 
“identity” vk) and a ^ Sign^^(C'). The final ciphertext is (vk,C,a). 
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— To decrypt ciphertext {vk, C, a) using secret key msk, the receiver first checks 
whether Vrfy„;j(C', cr) = 1. If not, the receiver simply outputs _L. Otherwise, 
the receiver computes SK^k ^ Dermsk(t'fc) and outputs m ^ *^)- 

We first give some intuition as to why U is secure against chosen-ciphertext 
attacks. Let {vk*, C* , a*) be the challenge ciphertext (cf. Definition 2). It should 
be clear that, without any decryption oracle queries, the value of the bit b remains 
hidden to the adversary; this is so because C* is output by 77' which is CPA- 
secure, vk* is independent of the message, and a* is merely the result of applying 
the signing algorithm to C* . 

We claim that decryption oracle queries cannot further help the adversary 
is guessing the value of b. On one hand, if the adversary submits ciphertext 
{vk' ,C ,a') different from the challenge ciphertext but with vk' = vk* then 
the decryption oracle will reply with _L since the adversary is unable to forge 
new, valid signatures with respect to vk. On the other hand, if vk' yf vk* then 
(informally) the decryption query will not help the adversary since the eventual 
decryption using V (in the underlying scheme 77') will be done with respect 
to a different “identity” vk' . Below, we formally prove that this cannot help an 
adversary. 

Theorem 1. If U' is an IBE scheme which is secure against selective-identity, 
chosen-plaintext attacks and Sig is a strongly unforgeable one-time signature 
scheme, then II is a PKE scheme which is secure against adaptive chosen- 
ciphertext attacks. 

Proof. Given any ppt adversary A attacking 77 in an adaptive chosen-ciphertext 
attack, we construct a ppt adversary Al attacking 77' in a selective-identity, 
chosen-plaintext attack. Relating the success probabilities of these adversaries 
gives the desired result. 

Before specifying A! , we first define event Forge and bound the probability of 
its occurrence. Let {vk* ,C* ,a*) be the challenge ciphertext received by A, and 
let Forge denote the event that A submits to its decryption oracle a ciphertext 
{vk*,C,a) with (C, <t) yf {C*,cr*) but for which Vrfy„j,. (C, cr) = 1. (We include 
in this event the case when A submits such a query to its decryption oracle 
before receiving the challenge ciphertext; in this case, we do not require (C, a) yf 
{C*,a*).) It is easy to see that we can use A to break the underlying one-time 
signature scheme Sig with probability exactly Pr _4 [Forge]; since Sig is a strongly 
unforgeable one-time signature scheme, it must be the case that Pr _4 [Forge] is 
negligible (in the security parameter k). 

We now define adversary A' as follows: 

1. A' {1^ ,Is{k)) runs Q{\^) to generate {vk*,sk*). It then outputs the “target 
identity” ID* = vk* . 

2. Setup(l^,7s(7)) outputs (P77, msk) and A' is given PK. Adversary A', in 
turn, runs A on input I^ and PK. 

3. When A makes decryption oracle query V{{vk, C, a)), adversary Af proceeds 
as follows: 
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(a) If Vrfy„j,(C, (t) yf 1, then A' simply returns _L. 

(b) If Vrfy„^(C, (t) = 1 and vk = vk* (i.e., event Forge occurs), then A' halts 
and outputs a random bit. 

(c) If Vrfy„j,(C, (t) = 1 and vk yf vk* , then A' makes the oracle query 

Dermsk(ffc) to obtain SK^k- It then computes m ^ C*) 

returns m. 

4. At some point, A outputs two equal-length messages mo, mi. These messages 
are output by A! . In return, A! is given a challenge ciphertext C*; adversary 
A! then computes a* ^ Sign^^. (C*) and returns {vk* ,C* ,a*) to A. 

5. A may continue to make decryption oracle queries, and these are answered 
as before. (Recall, A may not query the decryption oracle on the challenge 
ciphertext itself.) 

6. Finally, A outputs a guess 6'; this same guess is output by A'. 

Note that A' represents a legal adversarial strategy for attacking U' in a 
selective-identity, chosen-plaintext attack; in particular. A' never requests the 
secret key corresponding to “target identity” vk* . Furthermore, A! provides a 
perfect simulation for A (and thus A' succeeds whenever A succeeds) unless 
event Forge occurs. We therefore have: 

Pr. 4 ',/ 7 '[Succ] > Pr^, 7 j[Succ] - i • Pr^[Forge]. 

Since Pr^/./j' [Succ] is negligibly close to 1/2 (because U' is assumed to be secure 
in against selective-identity, chosen-plaintext attacks), and since Pr_q [Forge] is 
negligible, it must be the case that Pryi^nlSucc] is negligibly close to 1/2 as well. 

4 Chosen-Ciphertext Security for BTE Schemes 

The techniques of the previous section may also be used to construct a BTE 
scheme secure in the sense of SN-CCA from any BTE scheme secure in the sense 
of SN-CPA. Roughly, we view the subtree of each node as a (hierarchical) IBE 
scheme, and use the scheme from the previous section for that subtree. We first 
give a high-level overview for the simpler case of a BTE scheme which only allows 
encryption to nodes at a single depth £ (as opposed to a full-fledged BTE scheme 
which allows encryption to nodes at all depths < £). To encrypt a message for 
node w, the sender generates keys {vk, sk) for a one-time signature scheme (as 
in the previous section) and encrypts the message m for “node” w\vk to obtain 
ciphertext C; the sender additionally signs C using sk resulting in signature cr. 
The complete ciphertext is {vk,C,a). When node w, holding secret key SK^,, 
receives a ciphertext of this form, it first verifies that the signature is correct with 
respect to vk. If so, the receiver computes secret key on its own (using 

repeated applications of the Der algorithm) and then uses this key to recover m 
from C. As for the scheme from the previous section, the intuition here is that 
encryption to “node” w\vk is secure even if an adversary can obtain secret keys 
for multiple “nodes” w'\vk' with (w' ,vk') yf (w,vk) (recall we are assuming here 
that all nodes w are at the same depth, so w'\vk' cannot be a prefix of w\vk). 
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Thus, even more so, encryption to “node” w\vk remains secure if the adversary 
can obtain (only) decryptions of ciphertexts intended for “nodes” w'\vk' of this 
sort. And of course, the adversary is unable to obtain any decryptions for “node” 
w\vk itself unless it can forge a new signature with respect to vk. 

The construction is a bit more involved for the case of general BTE schemes 
(i.e., when encryption is allowed to nodes at arbitrary depth rather than at a 
single depth). The issue that we must resolve is the encoding of node names; 
for example, we must ensure that w\vk is not mapped to the same node as 
some other w' . A simple way of resolving this issue is to encode each node name 
w = W\W2 ■ . - Wt as lwilw2 ■ ■ ■ Iwt, and then encode w\vk as lw\lw2 ■ ■ ■ lwtO\vk. 
We describe the full construction in detail below. 

Let n' = (Setup', Der', 5', U') be a BTE scheme and let Sig = (tj. Sign, Vrfy) 
be a one-time signature scheme in which the verification key output by 5(1^) 
has length £s{k). As in the previous section, we require this scheme to be secure 
in the sense of strong unforgeability. Next, define a function Encode on strings 
w such that: 



Encode(w) 



J £ if w = £ 

( Iwi lw 2 • • • Iwt if w = wi • • ■ Wt (with Wj G {0, 1}) 



(Note that |Encode(w)| = 2|w|.) The construction of binary tree encryption 
scheme II = (Setup, Der, £,U) proceeds as follows: 

— Setup(l^,f) runs Setup'(l^, 2£+ls{k) + \) to obtain {PK, SK^). The system- 
wide public key is PK and the root secret key is SK^. 

— Der{w, SKiu) proceeds as follows. First, set w' = Encode(w). Next, compute 

SK'^,^ using Der's^^(w') followed by (S'AT.^/io, S'AT^/n) ^ Ders^^^,^ (w'l). 
Set SK^o = SK'^,^q and SK^i = and output SK^i)- (Note 

that w'lO = Encode(wO) and analogously for w'll.) 

(Intuitively, any node w in scheme II corresponds to a node w' = Encode(w) 
in iT'. Thus, secret key SK^ for node w (in II) corresponds to secret key 
SK'^, for node w' (in 77'). So, to derive the secret keys for the children of w 
(i.e., w0,wl) in 77, we must derive the keys for the (right) grandchildren of 
node w' in 77'.) 

— To encrypt message m for a node w G {0,1}-^ using public parameters 
PK, the sender first runs G{f^) to obtain verification key vk and signing 
key sk. Next, the sender sets w' = Encode(w). The sender then computes 
C <— Spj^{w'\0\vk,m) (i.e., the sender encrypts m with respect to “node” 
w'\0\vk using 77') and cr ^ Signj,j,(C). The final ciphertext is {vk,C,a). 

— Node w, with secret key S'7G„, decrypts a ciphertext (vk,C,a) as follows. 

7 

First, check whether Vrfy„^(C', cr) = 1. If not, simply output T. Otherwise, let 
w' = Encode(w). The receiver then computes the secret key •S' 77)^, 1 ^ 1 ^^ using 
repeated applications of Der', and outputs m ^ P'sk' (w'|0|ufc, C). 

w' |0|i’fc 

Remark 1. The above approach can be used to derive a CCA-secure HIBE 
scheme from a CPA-secure HIBE scheme in the following way: CPA-secure HIBE 
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trivially implies CPA-secure BTE; the conversion above yields CCA-secure BTE; 
and the latter implies CCA-secure HIBE (see [chk 03]). However, it will in gen- 
eral be much more efficient to apply the above techniques directly. In this case, 
we would simply encode the ID-vector w = wi \ • • ■ \wt a,s w' = Iwi | • • • |ltct, and 
encode w\vk as an ID-vector w'\0vk. 

We now state the main result of this section: 

Theorem 2. If II' is a BTE scheme which is secure in the sense of SN-CPA 
and Sig is a strongly unforgeahle one-time signature scheme, then U is a BTE 
scheme which is secure in the sense o/SN-CCA. 

Proof. The proof is largely similar to that of Theorem 1 . Given any ppt adver- 
sary A attacking II in a selective node, chosen-ciphertext attack, we construct 
a PPT adversary Al attacking II' in a selective node, chosen-plaintext attack. 
Relating the success probabilities of these adversaries gives the desired result. 

We first define event Forge; because we are working in the context of BTE, the 
definition is slightly different from the definition used in the proof of Theorem 1 . 
Specifically, let w* denote the node initially output by A, and let {vk* ,C* ,a*) 
be the challenge ciphertext received by A. Now, let Forge denote the event that 
A makes a decryption query V{w* , {vk*, C , a')) with (C', cr') yf {C*, a*) but for 
which Vrfy^j,. (C', cr') = 1. (We include in this event the case when A submits 
such a query to its decryption oracle before receiving the challenge ciphertext; 
in this case, we do not require (C',cr') (C*,a*).) It is easy to see that we can 

use A to break the underlying one-time signature scheme Sig with probability 
exactly Pr_ 4 [Forge]; since Sig is a strongly unforgeable one-time signature scheme, 
it must be the case that Pr_q [Forge] is negligible (in the security parameter k). 
We now define adversary A' as follows: 

1. A!{1^,P) sets 1= {P — Ia{k) — l)/2 and runs A{1^,P) who, in turn, outputs 
a node w* G {0, 1}-^. Adversary A' sets w' = Encode(w*), and runs Q{1^) 
to generate (vk*,sk*). Finally, A! outputs the node w*' = w'|0|uA:*. 

2. A! is given PK as well as a set of secret keys {S'A'4,} for all nodes w of the 
following form: 

- w = vb, where vb is a prefix of w*' and b G {0, 1}; 

- w = w*'0 or w = w*'l (in case |w*'| < P). 

Using these. A' can compute and give to A all the relevant secret keys that 
A expects. 

3. When A makes decryption query T){w, {vk, C, a)), adversary A' proceeds as 
follows: 

(a) If Vrfy„j, (C, cr) yf 1, then A' simply returns _L. 

(b) If w = w' , Vrfy^^(C, a) = I, and vk = vk* (i.e., event Forge occurs), then 
A' halts and outputs a random bit. 

(c) Otherwise, set w = Encode(w). Note that A' is able to derive the secret 
key corresponding to the “node” rc|0|uA: using the secret keys it obtained 
in step 2 (this follows since w\0\vk cannot be a prefix of w*'). So, A' 
simply computes the necessary key, performs the decryption of C, and 
returns the result to A. 
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4. When A outputs its two messages mo, mi, these same messages are output 
by A' ■ In return, A' receives a ciphertext C* . Adversary A' computes a* ^ 
Sigtig^. (C*) and returns ciphertext (vk*,C*,a*) to A. 

5. Any subsequent decryption queries of A are answered as before. 

6. Finally, A outputs a guess 6'; this same guess is output by A' . 

Note that A' represents a legal adversarial strategy for attacking II' . Further- 
more, A' provides a perfect simulation for A (and thus A! succeeds whenever A 
succeeds) unless event Forge occurs. An analysis as in the proof of Theorem 1 
shows that Pr^.^lSucc] must be negligibly close to 1/2. 

The above construction requires only a one-time signature scheme in addi- 
tion to the underlying BTE scheme; the existence of the former (which may 
be constructed from any one-way function) is implied by the existence of any 
BTE scheme secure in the sense of SN-CPA. Putting these observations together 
shows: 

Theorem 3. If there exists a BTE scheme secure in the sense o/ SN-CPA, then 
there exists a BTE scheme secure in the sense o/SN-CCA. 

Note that an analogous result for the case of (standard) public-key encryption 
is not known. 

Further applications. In [chk03] it is shown that any BTE scheme can be 
used to construct both a forward-secure public-key encryption scheme as well as 
a “full-fledged” HIBE scheme (and, as a special case, an IBE scheme). Further- 
more, if the original BTE scheme is secure against chosen-ciphertext attacks, 
then so are the derived schemes. Canetti, et al. further suggest [chk03] that a 
BTE scheme secure in the sense of SN-CCA can be derived using the Naor-Yung 
paradigm [ny90] along with 1-time, simulation-sound NIZK proofs [s99]. As 
mentioned in the Introduction, the use of NIZK proofs results in a completely 
impractical scheme, at least using currently-known techniques. Thus, the ap- 
proach of this section provides a more efficient way of achieving CCA security 
for any BTE scheme (as well as CCA security for forward-secure encryption or 
HIBE) in the standard model. (See also Remark 1.) 

When our techniques are applied to a BTE/IBE/HIBE scheme secure against 
selective-node/identity attacks, the resulting CCA-secure scheme is also only 
resilient to selective-node/identity attacks. However, when our techniques are 
applied to stronger schemes which are CPA-secure against an adaptive choice of 
node/identity, the resulting CCA-secure scheme maintains this level of security 
as well. 

We remark that when the transformation outlined in this section is applied 
to the recent constructions of Boneh and Boyen [bb04], we obtain truly practical 
constructions of IBE and HIBE schemes secure against selective-identity, chosen- 
ciphertext attacks in the standard model. 
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Abstract. We construct two efficient Identity Based Encryption (IBE) 
systems that are sefective identity secure without the random oracle 
model. Selective identity secure fBE is a slightly weaker security model 
than the standard security model for IBE. In this model the adversary 
must commit ahead of time to the identity that it intends to attack, 
whereas in the standard model the adversary is allowed to choose this 
identity adaptively. Our first secure IBE system extends to give a selec- 
tive identity Hierarchical IBE secure without random oracles. 

1 Introduction 

Boneh and Franklin [BFOl, BF03] recently defined a security model for Iden- 
tity Based Encryption [Sha84] and gave a construction using bilinear maps. 
Cocks [CocOl] describes another construction using quadratic residues. Proving 
security for these systems requires the random oracle model [BR93]. A natural 
open question is to construct a secure IBE system without random oracles. No 
such system is currently known. 

In the Boneh-Franklin security model the adversary can issue both adap- 
tive chosen ciphertext queries and adaptive chosen identity queries (i.e., the 
adversary can request the private key for identities of its choice). Eventually, 
the adversary adaptively chooses the identity it wishes to attack and asks for 
a semantic security challenge for this identity. Canetti et al. [CHK03, CHK04] 
recently proposed a slightly weaker security model, called selective identity IBE. 
In this model the adversary must commit ahead of time (non-adaptively) to 
the identity it intends to attack. The adversary can still issue adaptive chosen 
ciphertext and adaptive chosen identity queries. Canetti et al. are able to con- 
struct a provably secure IBE in this weaker model without the random oracle 
model. However, their construction views identities as bit strings, causing their 
system to require a bilinear map computation for every bit in the identity. 

We construct two efficient IBE systems that are provably selective identity 
secure without the random oracle model. In both systems, encryption requires 
no bilinear map computation and decryption requires at most two. Our first 
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construction is based on the Decision Bilinear Diffie-Hellman (Decision BDH) 
assumption. This construction extends to give an efficient selective identity se- 
cure Hierarchical IBE (HIBE) without random oracles. Hierarchical IBE was 
defined in [HL02] and the first construction in the random oracle model was 
given by Gentry and Silverberg [GS02] . Our efficient HIBE construction is sim- 
ilar to the Gentry-Silverberg system, but we are able to prove security without 
using random oracles. Our second IBE construction is even more efficient, but 
is based on a new assumption we call Decision Bilinear Diffie-Hellman Inversion 
(Decision BDHI). Roughly speaking, the assumption says that no efficient al- 
gorithm can distinguish e((/,(/)^/“ from random, given \ for 

some q. 

Ganetti et al. [GHK04] recently showed that any selective identity, chosen 
plaintext IBE gives a chosen ciphertext secure (GGA2) public key system. Gon- 
sequently, both our IBE systems give efficient GGA2-secure public key systems 
without random oracles. In particular, using our second system we obtain a 
GGA2-secure public key system that has comparable efficiency to the Gramer- 
Shoup system based on DDH. 

2 Preliminaries 

Before presenting our results we briefly review the definition of security for an 
IBE system. We also review the definition of groups equipped with a bilinear 
map. 



2.1 Selective Identity Secure IBE and HIBE Systems 

Recall that an Identity Based Encryption system (IBE) consists of four algo- 
rithms [Sha84, BFOl]: Setup, KeyGen, Encrypt, Decrypt. The Setup algorithm 
generates system parameters, denoted by params, and a master key master-key. 
The KeyGen algorithm uses the master key to generate the private key corre- 
sponding to a given identity. The encryption algorithm encrypts messages for 
a given identity (using the system parameters) and the decryption algorithm 
decrypts ciphertexts using the private key. In a Hierarchical IBE [HL02, GS02] 
identities are vectors. A vector of dimension ^ represents an identity at depth £. 
Algorithm KeyGen takes as input an identity ID = (R, . . . ,R) at depth t and 
the private key diD|f-i of the parent identity ID|^_i = (Ii,...,R_i) at depth 
£ — 1. It outputs the private key for identity ID. We refer to the master-key 
as the private key at depth 0 and note that an IBE system is an HIBE where all 
identities are at depth 1. 

Boneh and Franklin [BFOl, BF03] define chosen ciphertext security for IBE 
systems under a chosen identity attack. In their model the adversary is allowed 
to adaptively chose the public key it wishes to attack (the public key on which it 
will be challenged). Ganetti, Halevi, and Katz [GHK03, GHK04] define a weaker 
notion of security in which the adversary commits ahead of time to the public 
key it will attack. We refer to this notion as selective identity, chosen ciphertext 
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secure IBE (IND-sID-CCA). More precisely, selective identity IBE and HIBE 
security is defined using the following game: 

Init: The adversary outputs an identity ID* where it wishes to be challenged. 

Setup: The challenger runs the Setup algorithm. It gives the adversary the 
resulting system parameters params. It keeps the master-key to itself. 

Phase 1: The adversary issues queries qi, ... ,qm where query qi is one of: 

- Private key query (IDi) where ID^ ^ ID* and ID^ is not a prefix of ID*. 
The challenger responds by running algorithm KeyGen to generate 
the private key di corresponding to the public key (ID^). It sends di 
to the adversary. 

- Decryption query {Ci) for identity ID* or any prefix of ID*. The 
challenger responds by running algorithm KeyGen to generate the 
private key d corresponding to I D* (or the relevant prefix thereof as 
requested). It then runs algorithm Decrypt to decrypt the ciphertext 
Ci using the private key d. It sends the resulting plaintext to the 
adversary. 

These queries may be asked adaptively, that is, each query qi may depend 
on the replies to qi, ... , qi-i. 

Challenge: Once the adversary decides that Phase 1 is over it outputs two 
equal length plaintexts Mq, Mi G AI on which it wishes to be challenged. 
The challenger picks a random bit b G {0, 1} and sets the challenge 
ciphertext to C = Encrypt{params, ID*,Mf,). It sends C as the challenge 
to the adversary. 

Phase 2: The adversary issues additional queries qm-\-i, ■ ■ ■ ,qn where qi is 
one of: 

- Private key query (ID^) where ID^ yf ID* and ID^ is not a prefix of 
ID*. The challenger responds as in Phase 1. 

- Decryption query (Ci) yf (C) for ID* or any prefix of ID*. The chal- 
lenger responds as in Phase 1. 

These queries may be asked adaptively as in Phase 1. 

Guess: Finally, the adversary outputs a guess b' € {0,1}. The adversary 
wins if 6 = 6b 



We refer to such an adversary A as an IND-sID-CCA adversary. We define the 
advantage of the adversary A in attacking the scheme £ as 

1 



Pr[6 = b']-- 



Adv£,^ = 

The probability is over the random bits used by the challenger and the adversary. 



Definition 1. We say that an IBE or HIBE system £ is {t, qio, qc, e) -selective 
identity, adaptive chosen ciphertext secure if for any t-time IND-sID-CCA adver- 
sary A that makes at most qio chosen private key queries and at most qc chosen 
decryption queries we have that Advg,A < e- As shorthand, we say that £ is 
{t,q,D,qc,e) IND-sID-CCA secure. 
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Semantic Security. As usual, we define selective identity, chosen plaintext secu- 
rity for an IBE system as in the preceding game, except that the adversary is not 
allowed to issue any decryption queries. The adversary may still issue adaptive 
private key queries. 

Definition 2. We say that an IBE or HIBE system £ is {t, qio, e)-selective iden- 
tity, chosen plaintext secure if £ is (t, q,D, 0, e)-selective identity, chosen ciphertext 
secure. As shorthand, we say that £ is (t,qio,e) IND-sID-CPA secure. 

2.2 Bilinear Groups 

We briefly review the necessary facts about bilinear maps and bilinear map 
groups. We follow the notation in [BFOl]: 

1 . G and Gi are two (multiplicative) cyclic groups of prime order p; 

2. g is a generator of G. 

3. e is a bilinear map e : G x G ^ Gi. 

Let G and Gi be two groups as above. A bilinear map is a map e : G x G ^ Gi 
with the following properties: 

1. Bilinear: for all u, u G G and a, 6 G Z, we have e(u“, v^) = e{u, u)“*'. 

2. Non-degenerate: e{g,g) yf 1. 

We say that G is a bilinear group if the group action in G can be computed 
efficiently and there exists a group Gi and an efficiently computable bilinear 
map e : G X G ^ Gi as above. Note that e(,) is symmetric since e{g°‘,g^) = 
e(5.5)“*' = e(g^5“). 

3 Complexity Assumptions 

Let G be a bilinear group of prime order p and g he & generator of G. We review 
the standard Bilinear Diffie-Hellman (BDH) assumption and define the Bilinear 
Diffie-Hellman Inversion (BDHI) assumption. 

3.1 Bilinear Diffie-Hellman Assumption 

The BDH problem [JouOO, BFOl] in G is as follows: given a tuple g, g°“, g^, G G 
as input, output e{g, gY^^ G Gi. An algorithm A has advantage e in solving BDH 
in G if 

Pr [A{g,gY9\gY = e{g,gr^<^]>e 

where the probability is over the random choice of a, b, c in Z* and the random 
bits used by A. Similarly, we say that an algorithm B that outputs b G {0,1} 
has advantage e in solving the decision BDH problem in G if 

|Pr [B{g, gY g\ /, e{g, = O] - Pr [B{g, 5 “, g\ g\ T) = O] | > e 

where the probability is over the random choice of a, b, c in Z*, the random choice 
of r G G{, and the random bits of B. 
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Definition 3. We say that the (Decision) {t,e)-BDH assumption holds in G 
if no t-time algorithm has advantage at least e in solving the (Decision) BDH 
problem in G. 

Occasionally we drop the t and e and refer to the BDH and Decision BDH 
assumptions in G. 



3.2 Bilinear Diffie-Hellman Inversion Assumption 

The g-BDHI problem in the group G is defined as follows: given the {q + 1)- 
tuple {g,g^ , . . . , G (G*)^+^ as input, compute G GJ. An 

algorithm A has advantage e in solving g-BDHI in G if 



Pr 







> e 



where the probability is over the random choice of x in Z* and the random bits of 
A. Similarly, we say that an algorithm B that outputs b G {0, 1} has advantage 
e in solving the decision g-BDHI problem in G if 



Pr 



B{g,g\...,g^^“\e{g,gYh = ^ 



— Pr 



B{g,g^ 



g(-’),T) = 0 



> e 



where the probability is over the random choice of x in Z*, the random choice 
of r G G*, and the random bits of B. 

Definition 4. We say that the (Decision) {t,q,e)-BDHI assumption holds in G 
if no t-time algorithm has advantage at least e in solving the (Decision) q-BDHI 
problem in G. 

Occasionally we drop the t and e and refer to the g-BDHI and Decision q- 
BDHI assumptions. It is easy to show that the 1-BDHI assumption is equivalent 
to the standard Bilinear Diffie-Hellman assumption (BDH). It is not known if 
the g-BDHI assumption, for g > 1, is equivalent to BDH. 



4 Efficient Selective Identity HIBE Based on BDH 
Withont Random Oracles 

We construct an efficient HIBE system that is selective identity secure with- 
out random oracles based on the Decision BDH assumption. In particular, this 
implies an efficient selective identity, chosen ciphertext secure IBE based on 
Decision BDH without random oracles. 

4.1 Construction 

Let G be a bilinear group of prime order p and g be a generator of G (the security 
parameter determines the size of G). Let e : G x G ^ Gi be the bilinear map. For 
now, we assume public keys (ID) of depth £ are vectors of elements in Zp^. We 
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write ID = (Ii, . . . ,1^) G Zp^. The j-th component corresponds to the identity 
at level j. We later extend the construction to public keys over {0, 1}* by first 
hashing each component Ij using a collision resistant hash H : {0,1}* ^ Zp. 
We also assume messages to be encrypted are elements in Gi. The HIBE system 
works as follows: 

Setup{£): To generate system parameters for an HIBE of maximum depth £, 
select a random a G Z* and set gi = g“. Next, pick random elements 
hi, . . . ,hi € G and a generator g 2 G G*. The public parameters params and 
the secret master-key are given by 

params = {g,gi, g 2 ,h\, . . . , hg) , master-key = g^ 

For j = 1, we define Fj : Zp ^ G to be the function: Fj{x) = gfhj. 

KeyGen{d,o\j-i,\D): To generate the private key d,D for an identity ID = 
(Ii , . . . , Ij ) G Zp^ of depth j < £, pick random ri, . . . ,rk G Zp and output 

rf.D= Ig^-flFkihYG g^\ g^^ 

V fc=i 

Note that the private key for ID can be generated just given a private 
key for ID|j_i = (Ii, . . . , Ij_i) G as required. Indeed, let d,a\j-i = 

{do, . . . ,dj-i) be the private key for ID|j_i. To generate d,o pick a random 
rj G Zp and output d,o = {do • Fj{ljYG d\, . . . , dj-i, g^Y- 
Encrypt{params, ID, M): To encrypt a message M G Gi under the public 
key ID = (Ii, . . . ,Ij) G Zp-’, pick a random s G Zp and output 

C=(^e{gi,g2Y-M, gY Fi{hY, ..., E,(I,r^ 

Note that e{gi,g 2 ) can be precomputed once and for all so that encryption 
does not require any pairing computations. Alternatively, e{gi,g 2 ) can be 
included in the system parameters. 

Decrypt{d,o,C): Let ID = (Ii,...,Ij) be an identity. To decrypt a ciphertext 
C = {A, B,Ci, . . . , Cj) using the private key d^ = {do, d \, . . . , dj), output 

j^ ULi <Cj,dY 
e{B,do) 

Indeed, for a valid ciphertext, we have 

YVk=i<c„dY nLie(-Ffc(ifc),gn 1 

e{B,do) e{g,g2Y^Y\’k=i<9.Fk{lk)Y'^^ <9i,92Y 

4.2 Security 

The HIBE system above is reminiscent of the Gentry-Silverberg HIBE which is 
only known to be secure in the random oracle model. Surprisingly, our choice 
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of functions Fi, . . . ,Fi enables us to prove security without random oracles. We 
prove security of our HIBE system under the standard Decision BDH assumption 
in G. 



Theorem 1. Suppose the {t,e}- Decision BDH assumption holds in G. Then the 
previously defined l-HIBE system is {t' , qs, e)-selective identity, chosen plaintext 
(IND-sID-CPA) secure for arbitrary I and qs and any t' < t — oft). 

Proof. Suppose A has advantage e in attacking the HIBE system. We build an al- 
gorithm B that solves the Decision BDH problem in G. On input {g, (/“, g^, g‘^, T) 
algorithm B's goal is to output 1 if T = e{g,g)°'^‘^ and 0 otherwise. Let gi = 
g°“ , g 2 = g^ 1 93 = g'^- Algorithm B works by interacting with A in a selective 
identity game as follows: 

Initialization. The selective identity game begins with A first outputting an 
identity ID* = (Ij, . . . , 1^ ^ of depth k < £ that it intends to attack. If 
necessary, B appends random elements in Zp to ID* so that ID* is a vector 
of length £. 

Setup. To generate the system parameters, algorithm B picks ai,. . . ,ae G Zp 
at random and defines hj = g^ G G for j = 1, ...,£. It gives A the sys- 
tem parameters params = {g,gi,g 2 ,hi, . . . ,hi). Note that the correspond- 
ing master-key, which is unknown to B, is gif = g°“^ G G*. As before, for 
j = 1 ,...,£ we define Fj : Zp ^ G to be the function 

Fj{x) = gfhj = g"^ 

Phase 1. A issues up to qs private key queries. Consider a query for the pri- 
vate key corresponding to ID = (G, . . . , J„) G Zp“ where u < £. The only 
restriction is that ID is not a prefix of ID*. Let j be the smallest index such 
that Ij yf I*. Necessarily 1 < j < u. To respond to the query, algorithm 
B first derives a private key for the identity (Ii, . . . ,Ij) from which it then 
constructs a private key for the requested identity ID = (Ii, . . . , 1^, . . . , I„). 
Algorithm B picks random elements r\, . . . ,rj G Zp and sets 



do = g2~"' 

v—1 



di=9^ 



dj-i = / 



7 

dj — (/2 



We claim that {do, d\, . . . , dj) is a valid random private key for (Ii, . . . , ly). 
To see this, let fj = rj — b / (Ij — Ip- Then we have that 







92FjiW^^ 



It follows that the private key {do, di, . . . , dj) defined above satisfies 



i-i 



do = 92-il[F,,{l,,)^-)-F,{lfi^fi d,=. 



V — 1 
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where ri, . . . are uniform in Zp. This matches the definition for a 

private key for (Ii, . . . , Ij). Hence, {do, d\, . . . ,dj) is a valid private key for 
(Ii, . . . ,Ij). Algorithm B derives a private key for the requested ID from the 
private key {do, d\, . . . ,dj) and gives the result to A. 

Challenge. When A decides that Phase 1 is over, it outputs two messages 
Mo, Ml G Gi- Algorithm B picks a random bit b G {0, 1} and responds with 
the ciphertext C = (Mf, • T, go, ■ ■ ■ , go'")- Since Fi{l*) = for all i, 
we have that 



C={MfT, ..., F,{ll)^) 

Hence, if T = e{g, g)°‘^^ = e(gi, 32)^ then C is a valid encryption of under 
the public key ID* = (I*,...,I^). Otherwise, C is independent of b in the 
adversary’s view. 

Phase 2. A issues its complement of private key queries not issued in Phase 1. 
Algorithm B responds as before. 

Guess. Finally, A outputs a guess b' G {0, 1}. Algorithm B concludes its own 
game by outputting a guess as follows. If 6 = 6' then B outputs 1 meaning 
T = e(g,g)“*"^. Otherwise, it outputs 0 meaning T yf e{g,g)°‘^^. 

When T = e{g,g)°‘^'^ then A must satisfy | Pr[6 = b'] — 1/2| > e. When T is 
uniform in GJ then Pr[6 = b'\ = 1/2. Therefore, when a,b,c are uniform in Z* 
and T is uniform in GJ we have that 

|Pr [B{g, g% g\ e{g, 5)“'^) = O] - Pr [B{g, 5“, g\ T) = O] | 

as required. This completes the proof of Theorem 1. □ 

4.3 Chosen Ciphertext Security 

A recent result of Canetti et al. [CHK04] gives an efficient way to build a selec- 
tive identity, chosen ciphertext GHIBE from a selective identity, chosen plaintext 
{^ + 1)-HIBE. In combination with the above construction, we obtain a selec- 
tive identity, chosen ciphertext GHIBE for any £. In particular, we can easily 
construct an efficient selective identity, chosen ciphertext secure IBE without 
random oracles. 

4.4 Arbitrary Identities 

We can extend our HIBE above to handle identities ID = (Ii, . . . ,G) with Ij G 
{0, 1}* (as opposed to Ij G Zp) by first hashing each Ij using a collision resistant 
hash function H : {0,1}* — > Zp prior to key generation and encryption. A 
standard argument shows that if the scheme above is selective identity, chosen 
ciphertext secure then so is the scheme with the additional hash function. We 
note that there is no need for a full domain hash into Zp; for example, a collision 
resistant hash function H : {0, 1}* ^ {!,..., 2^} where 2^ < p is sufficient for 
the security proof. 
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5 More Efficient Selective Identity IBE Based on BDHI 
Without Random Oracles 

We construct an efficient IBE system that is selective identity, chosen plaintext 
secure without random oracles based on the Decision q-BDHI assumption (see 
Section 3.2). The resulting IBE system is more efficient that the IBE construction 
in the previous section. 



5.1 Basic Construction 

Let G be a bilinear group of prime order p and g he a, generator of G. For now, we 
assume that the public keys (ID) are elements in Z*. We show later that arbitrary 
identities in {0,1}* can be used by first hashing ID using a collision resistant 
hash H : {0,1}* ^ Z*. We also assume that the messages to be encrypted are 
elements in Gi. The IBE system works as follows: 

Setup: To generate IBE parameters, select random elements x,y G Z* and 
define X = and Y = g^ . The public parameters params and the secret 
master-key are given by 

params = {g, g^ , g^) , master-key = {x, y) 

KeyGen{master-key,\D): To create a private key for the public key ID G Z*: 

1. pick a random r G Zp and compute K = g'^/O^+^+'^v) g G, 

2. output the private key d,o = (r,K). 

In the unlikely event that x -\- ry + \D = 0 (mod p), try again with a new 
random value for r. 

Encrypt{params, ID, M): To encrypt a message M G Gi under public key 
ID G Z*, pick a random s G Z* and output the ciphertext 

C={g^'^X\ e{g,gy-M) 

Note that e{g,g) can be precomputed once and for all so that encryption 
does not require any pairing computations. 

Decrypt{d,o,C): To decrypt a ciphertext C = (A,B,C) using the private key 
d,D = (r,K), output C/e{AB'',K). Indeed, for a valid ciphertext we have 



e{AB^,K) e(^gs(\D+x-\-ry)^gi/i\D-\-x-ery)-^ e{g,gY 



Performance. In terms of efficiency, we note that the ciphertext size and en- 
cryption time are similar to the IBE system of the previous section. However, 
decryption requires only one pairing computation, as opposed to two in the 
previous section. 
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5.2 Proving Security 

We prove security of the scheme under the Decision g-BDHI assumption from 
Section 3.2. 



Theorem 2. Suppose the {t,q,e)~ Decision BDHI assumption holds in G. Then 
the previously defined IBE system is (f' ,qs,e) -selective identity, chosen plaintext 
(IND-sID-CPA) secure for any qs < q and t' <t — o(t). 



Proof. Suppose A has advantage e in attacking the IBE system. We build an 
algorithm B that uses A to solve the decision g-BDHI problem in G. On input 
, ■ ■ ■ ,g°"'’,T) G x G* for some unknown a G Z*, the goal of B 

is to output 1 if r = and 0 otherwise. It does so by interacting with 

^ in a selective identity game as follows: 



Preparation. Algorithm B builds a generator h G G* for which it knows q — 1 
pairs of the form (wi, for random wi, . . . , Wq-i G Z*. This is done 

as follows: 

1. Pick random wi, . . . ,Wq-i G Z* and let f{z) be the polynomial /(z) = 
YliZliz + Wi). Expand the terms of / to get /(z) = X)i=o Cja:*. The 
constant term cq is non-zero. 

2. Compute h = Oi^o and u = 

Note that u= h°‘. 

3. Check that h G G*. Indeed if we had ft, = I in G this would mean that 
Wj = —a for some easily identifiable Wj, at which point B would be able 
to solve the challenge directly. We thus assume that all wj yf —a. 

4. Observe that for any i = 1, . . . , g— 1, it is easy for B to construct the pair 
(wi,ft^/(“+™*)). To see this, write /*(z) = /(z)/(z -I- w*) = J2iZo^iZ''- 
Then fti/(«+v^i) = gfiA) = n?=o 

5. Next, B computes 



Th = • To 



where Tn 



q-lq-2 

nn< 

2=0 j —0 






tCjl + l 



Observe that if T = e{g,g)^/^ then Th = e = e(ft, ft)^/“. 

On the contrary, if T is uniform in GJ, then Th is uniform in Gi \ {To}- 
We will be using the values h,u,Th and the pairs (wi, for i = 

1, . . . , <7 — 1 throughout the simulation. 

Initialization. The selective identity game begins with A first outputting an 
identity ID* G Z* that it intends to attack. 

Setup. To generate the system parameters params = (g,X,Y), algorithm B 
does the following: 

1. Pick random a, 6 G Z* under the constraint that ab — ID*. 

2. Compute X = u~°'h~°'^ = ft““0+fc) and Y = u = h°‘. 

3. Publish params = (h,X,Y) as the public parameters. Note that X,Y 
are independent of ID* in the adversary’s view. 
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4. We implicitly define x = —a{a + b) and y = a so that X = and 
Y = h^. Algorithm B does not know the value of a: or y, but does know 
the value of a; -I- ay = —ab = —ID*. 

Phase 1. A issues up to qs < q private key queries. Consider the z-th query for 
the private key corresponding to public key ID^ yf ID*. We need to respond 
with a private key (r, for a uniformly distributed r € Zp. 

Algorithm B responds to the query as follows: 

1. Let (z«i, be the z-th pair constructed during the preparation 
step. Define hi = 

2. B first constructs an r G Zp satisfying (r — a)(a + Wi) = ID^ -|- a; -I- ry. 
Plugging in the values of x and y the equation becomes 

(r — a){a + Wi) = ID^ — a{a + b) + ra 

We see that a cancels from the equation and we get r = a + G Zp. 

3. Now, (r, is a valid private key for ID^ for two reasons. First, 

^l/(r-a) _ _ ^1/ (r-a)(a+Wi) _ ^1/ (\Di+x+ry) 

as required. Second, r is uniformly distributed among all elements in Zp 
for which ID^ -|- a; -|- ry yf 0 and r yf a. This is true since Wi is uniform 
in Zp \ {0, —a} and is currently independent of A’s view. Algorithm B 
gives A the private key (r, 

We point out that this procedure will fail to produce the private key for ID* 
since in that case we get r — a = 0. Hence, B can generate private keys for 
all public keys except for ID*. 

Challenge. A outputs two messages Mg, Mi G Gi. Algorithm B picks a random 
bit b G {0, 1} and a random £ G Z*. It responds with the ciphertext CT = 
h^, • Mb). Define s = Ija. On the one hand, if 

we have 

l^—aa{i/a) j^{x-\-ab){£/a) ^(a:+ID*)(£/a) 

tI = e{h, /z)^/“ = e{h, h)^ 

It follows that CT is a valid encryption of Mb under ID*, with the uniformly 
distributed randomization value s = f/a G Z*. On the other hand, when Th 
is uniform in Gi \ {To}) then, in the adversary’s view, CT is independent of 
the bit b. 

Phase 2. A issues more private key queries, for a total of at most qs < q. 
Algorithm B responds as before. 

Guess. Finally, A outputs a guess b' G (0, 1}. If 6 = b' then B outputs I meaning 
T = e(y,y)^/“. Otherwise, it outputs 0 meaning T yf e(y,y)^/“. 

We showed that when the input T satisfies T = e(y,y)^/“ then Th = e{h,h)^^°‘ 
in which case A must satisfy | Pr[6 = 6'] — 1/2| > e. On the other hand, when T is 
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uniform and independent in GJ then Th is uniform and independent in Gi \ {To} 
in which case Pr[6 = b'] = 1/2. Therefore, when x is uniform in Z* and P is 
uniform in G{ we have that 



Pr 



. . . , , e{g, g)^/^ = o] - Pr [s(g, g^,..., g^^^\ P) = 0 



as required. This completes the proof of Theorem 2. 



5.3 Chosen-Ciphertext Security and Arbitrary Identities 

Canetti et al. [CHK03, Section 2.2] describe a general method for converting a 
selective identity, chosen plaintext secure IBE into a selective identity, chosen 
ciphertext secure IBE. The method is based on [NY90, Sah99, LinOSj. Since it 
is generic, it applies to our system as well. In particular, the method can be 
used to render the IBE system above secure against chosen ciphertext attacks. 
The result is an IND-sID-CCA secure IBE without random oracles. However, 
the resulting system is inefficient since it relies on generic non-interactive zero- 
knowledge (NIZK) constructions. 

As before, a standard argument shows that we can extend the IBE above 
to handle arbitrary identities ID S {0,1}* by first hashing ID using a collision 
resistant hash function PI : {0, 1}* ^ Z* prior to key generation and encryption. 
If the underlying scheme is selective identity, chosen plaintext (resp. ciphertext) 
secure, then so is the scheme with the additional hash function. 



5.4 An Efficient CCA2-secure Public-Key System 

A recent result of Canetti et al. [CHK04] gives a general method for constructing 
a CCA2 public key system from any selective identity, chosen plaintext IBE. 
Essentially the same result was used in Section 4 to transform our first HIBE 
construction into a chosen ciphertext secure HIBE of lesser depth. 

When used on the construction of this section, we obtain a new efficient 
CCA2 public key system. We briefly summarize its characteristics: 

1. Encryption time: Dominated by three exponentiations in G. 

2. Decryption time: Dominated by one pairing computation. 

3. Ciphertext size: Composed of three elements of G plus a public key and 
signature of a one-time signature scheme. 

In terms of performance, this is comparable to, though not quite as efficient as, 
the Cramer-Shoup [CS98] CCA2-secure public key system which is proven secure 
in the standard model. 

The ciphertext size can be further reduced by using the short signature 
scheme recently proposed by Boneh and Boyen [BB04] instead of the one-time 
signatures suggested by Canetti et al. [CHK04]. The Boneh-Boyen signature 
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scheme is existentially unforgeable in the strong sense (sUF-CMA) without ran- 
dom oracle, and thus satisfies the requirements of the CCA2 construction. Here, 
strong existential unforgeability means that it is infeasible for an adversary to 
forge a new signature even on messages for which one or more valid signatures 
are already known. 



6 DHI and Generalized DifRe-Hellman 

In Section 3.2 we defined the q-BDHI problem in a bilinear group. A closely 
related problem is the g-Diffie-Hellman Inversion (g-DHI) problem: given a tuple 
G as input, output G G. Here, G need not be a 
bilinear group. Loosely speaking, the g-DHI assumption states that the g-DHI 
problem is intractable in G. This assumption was previously used in [MSK02] 
where it was called weak Diffie-Hellman. 

Many cryptographic constructions rely on the Generalized Diffie-Hellman 
assumption (GenDH) for security [MSW96, NR97, BBR99, Lys02, BS03]. In 
this section we show that the g-DHI assumption implies the (g-l- 1)-Generalized 
Diffie-Hellman assumption. Thus, constructions that rely on Generalized Diffie- 
Hellman could instead rely on g-DHI which appears to be a more natural com- 
plexity assumption, and is easier to state since the problem description does not 
require an oracle. 

We first review the GenDH assumption. The assumption says that given 
in G and given all the subset products g G for any strict 

subset S C {!,..., g}, it is hard to compute g G. Since the number 

of subset products is exponential in g, access to all these subset products is 
provided through an oracle. For a vector a=(ai,...,aq)GZp'^, define Og,a to 
be an oracle that for any strict subset S C {1, . . . , g} responds with 

= eG. 

Define the advantage of algorithm A in solving the generalized Diffie-Hellman 
problem to be the probability that A is able to compute g“i •a, given access to 
the oracle Og^a{S). In other words, 

Adv^^g = Pr[A®»’“ = : a = (m, . . . , a,) ^ Zp"^] 

Note that the oracle only answers queries for strict subsets of {1, . . . , g}. 

Definition 5. We say that G satisfies the {t,q,e)~ Generalized Diffie-Hellman 
assumption if for all t-time algorithms A we have Advjx^q < e. 



Theorem 3. Suppose the {t,q — l,e)-DHI assumption holds in G. Then the 
{t,q,e)-GenDH assumption also holds in G. 

Proof. Suppose A is an algorithm that has advantage e in solving the g-GenDH 
problem. We construct an algorithm B that solves (g — 1)-DHI with the same 
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advantage e. Algorithm B is given g, . . . , G G and its goal is 

to compute € G. Let h = g^^" ^ and y = x~^ G Zp. Then the input to 

B can be re-written as \ ^ G G and B’s goal is to output 

f^(vV = giA. 

Algorithm B first picks q random values ci, . . . , Cg G Zp. It then runs algo- 
rithm A and simulates the oracle Oh. a for A. The vector a that B will use is 
a = {y + ci, . . . ,y + Cq). Note that B does not know a explicitly since B does not 
have y. When A issues a query for Oh,a{S) for some strict subset S' C {1, . . . , g} 
algorithm B responds as follows: 

1. Define the polynomial f{z) = ni6s(-^ + Ci) and expand the terms to obtain 

/W = EE'oML 

2. Compute t = Since |S| < q all the values in the 

product are known to B. 

3. By construction we know that t = ft,ni<=s(y+ci)^ Algorithm B responds by 
setting Oh,a{S) = t. 

The responses to all of the adversary’s oracle queries are consistent with the 
hidden vector a = {y + ci, ... ,y + Cq). Therefore, eventually, A will output 
T = h^“i=i(v+^i) . Define the polynomial f(z) = + Ci) and expand the 

terms to get f(z) = z'^ + E?=o conclude, B outputs 

T / 

i=0 

which is the required value. □ 

The same property as in Theorem 3 also holds for the decision version of the 
DHI and GenDH problems. The g-DHI assumption is easier to state than the 
g-GenDH assumption since there is no need for an oracle. When appropriate, 
constructions that depend on GenDH for security could instead use the DHI 
assumption. 

7 Conclusions 

We constructed two IBE systems that are secure against selective identity attacks 
in the standard model, i.e., without using random oracles. The first construc- 
tion is based on the now classic BDH assumption. It extends readily to give a 
selective identity HIBE without random oracles, that can efficiently be made 
chosen ciphertext secure using a technique of [GHK04] . The second construction 
is based on the Bilinear Diffie-Hellman Inversion assumption. The same tech- 
nique of [GHK04] converts both our constructions into efficient GGA2-secure 
public key systems without random oracles that are almost as efficient as the 
Gramer-Shoup public key system. 

Gurrently, the problem of constructing a fully secure IBE (against adaptive 
identity attacks) without resorting to random oracles is still open. We hope to 
see this question resolved soon. 
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Abstract. For counting points of Jacobians of genus 2 curves defined 
over large prime fields, the best known method is a variant of Schoof’s 
algorithm. We present several improvements on the algorithms described 
by Gaudry and Harley in 2000. In particular we rebuild the symmetry 
that had been broken by the use of Cantor’s division polynomials and 
design a faster division by 2 and a division by 3. Combined with the 
algorithm by Matsuo, Chao and Tsujii, our implementation can count 
the points on a Jacobian of size 164 bits within about one week on a PC. 



1 Introduction 

Genus 2 hyperelliptic curves provide an interesting alternative to elliptic curves 
for the design of discrete-log based cryptosystems. Indeed, for a similar security, 
the key or signature lengths are the same as for elliptic curves and furthermore 
the size of the base field in which the computations take place is twice smaller. 
During the last years, efforts in improving the group law algorithms made these 
cryptosystems quite competitive [19,25]. 

To ensure the security of the system, it is required to have a group of large 
prime order. Until recently, for the Jacobian of a genus 2 curve, only specific 
constructions provided curves with known Jacobian order, namely the complex 
multiplication (GM) method [34] and the Koblitz curves. These curves have a 
very special structure; although nobody knows if they are weaker than general 
curves, it is pertinent to consider random curves as well. This raises the problem 
of point-counting: given a random curve, find the group order of its Jacobian. 

With today’s state of the art, the complexity of the point counting task in 
genus 2 highly depends on the size of the characteristic of the base field: in short, 
the smaller the characteristic, the easier the task of point counting (“easy” means 
fast and does not mean that the theoretical tools are simple). 

In the case of genus 2 curves in small characteristic p, the point counting 
problem was recently solved using p-adic methods [31,23,20]. The particular case 
where p = 2 is in fact treated almost as quickly as in genus 1. Unfortunately, 
these dramatic improvements do not apply when p becomes too large (say, a few 
thousands [10]). 
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For large p, the best known algorithms are variants of Schoof’s algorithm, 
theoretical descriptions of which can be found in [26,18,1,16]. In 2000, Gaudry 
and Harley [11] designed and implemented the first practical genus 2 School 
algorithm, making use of Cantor’s division polynomials [8]. To reach reasonable 
sizes, however, it was necessary to combine the School approach with a Pollard 
lambda method. Their record was a random genus 2 curve over a prime field 
of size about 10^®, thus too small to be used in a cryptosystem. For “medium 
characteristic”, they also proposed to use the Cartier-Manin operator to get 
additional information that can be combined with others. Therefore, for medium 
characteristic p (say 10®, see [5]), point counting is easier than for very large p. 

We mentioned that in the non-small characteristic case, once the group or- 
der has been computed modulo some large integer, the computation is finished 
using a Pollard lambda method. Matsuo, Chao and Tsujii [21] proposed a Baby- 
step/ Giant-step algorithm that speeds up this last phase. With this device and 
using the Cartier-Manin trick, they performed a point counting computation of 
cryptographical size for a medium characteristic field. 

In this paper, we improve on the methods of [11], so that, combined with the 
algorithm of [21], we can reach cryptographical size over prime fields. Our im- 
provements are concerned with the construction and the manipulation of torsion 
elements in the Schoof-like algorithm of [1 1] . The impact of these improvements 
is asymptotically by a constant factor, but they yield significant speed-up in 
practice for the size of interest in cryptography. We now summarize them: 

Our first contribution is the reintroduction of symmetries that were lost 
in [11]. Indeed, the use of Cantor’s division polynomials to construct torsion 
elements is very efficient, but the resulting divisor is given as a sum of points 
instead of in Mumford representation. Therefore a factor of 2 in the degrees of 
the polynomials that are manipulated is lost. In Sections 3.2 and 3.3, we give 
algorithms to save this factor of 2 in the degrees. 

In [11], it is proposed to build 2^-torsion elements using a halving algorithm 
based on Grobner basis computations. Our second contribution is a faster divi- 
sion by 2, using a better representation of the system; in the same spirit we show 
that a division by 3 can also be done: this is described in Section 4. Another 
practical improvement is the ubiquitous use of an explicit action on the roots 
coming from the group law to speed-up the factorizations that occur at different 
stages. We explain it in details in the case of the division by 2 in Section 3.4. 

To illustrate and to test the performance of our improvements, we imple- 
mented them in Magma or NTL and mixed them with the algorithm of [21] and 
an early abort strategy. Our main outcome is the first construction of secure 
random curves of genus 2 over a prime field, as we obtained Jacobians of prime 
order of size about 2^®"^. 

2 Generalities 

In this work, p denotes a fixed odd prime, Fp is the finite field with p elements, 
and C is a genus 2 curve defined by the equation y® = f{x), where / is a 
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squarefree monic polynomial in Fp[X] of degree 5. The main object we consider 
is the Jacobian J(C) of C. We handle elements of J(C) through their Mumford 
representation: each element of J(C) can be uniquely represented by a pair of 
polynomials (u{x), v{x)), where u is monic of degree at most 2, v is of degree less 
than the degree of u, and u divides v'^ — f. The degree of the u-polynomial in 
Mumford’s representation is called the weight of a divisor. If K is an extension 
field of Fp, we may distinguish the curves defined on K and Fp, by denoting 
them CjK and C/Fp; the Jacobians are correspondingly denoted by 3{C/K) and 
J(C/Fp). For precise definitions and algorithms for the group law, we refer to 
[22] and [7,19]. 

Let Fp be an algebraic closure of Fp and let us consider the Frobenius endo- 
morphism on J(C/Fp) denoted by tt. By Weil’s theorem (see [24]), the character- 
istic polynomial x(T) of tt has the form x{T) = — siT^ -I- S 2 T^ — ps\T + 

where si and S 2 are integers such that jsij < 4^/p and js 2 | < 6p. Furthermore 
#J(C) = X(l) =P^ + 1- Si(p-h 1) -f S2. 

In point-counting algorithms based on School’s idea [27], the torsion ele- 
ments of J(C) play an important role. If is a positive integer, the subgroup 
of Wtorsion elements of J(C/Fp) is a finite group denoted by J(C)[fV]; it is iso- 
morphic to (Z/A^Z)^ and has the structure of a free Z/A^Z-module of dimension 
4 (see [24]). Furthermore, the characteristic polynomial of the restriction of tt to 
J(C)[A^] is x(T) mod N . Applying this to different small primes or prime powers 
leads to the genus 2 Schoof algorithm that is sketched in Algorithm 1 . 



Algorithm 1 Sketch of a genus 2 Schoof algorithm 

1. For sufficiently many small primes or prime powers t. 

(a) Let L = {(si, S 2 ); si, «2 G [0, £ - 1]}. 

(b) While #L > 1 do 

— Construct a new Atorsion divisor D\ 

— Eliminate those elements (si,S 2 ) in L such that 

7t"^(D) — si7t®(D) -I- S 2 Tr^{D) — {psi mod 1)'k{D) + {p^ mod l)D / 0 

(c) Deduce x(T) mod i from the remaining pair in L. 

2. Deduce x(T) from the pairs {I, x(T) mod i) by Chinese remaindering, or using the 
algorithm of [21]. 



Our contribution is to improve the first part of the algorithm, the construc- 
tion of Atorsion divisors; the computations for small primes and prime powers 
are respectively described in Sections 3 and 4. 

We will frequently make genericity assumptions on the curve C and its torsion 
divisors. We assume that C is chosen randomly among genus 2 curves defined over 
a large field Fp, so we can expect that with high probability, such assumptions are 
satisfied. The cases when our assumptions fail should require special treatments, 
which are not developed here. 
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For the complexity estimates, we denote by M(c?) the number of Fp-operations 
required to multiply two polynomials of degree d defined over Fp. We make the 
classical assumptions on M (see for instance [32, Definition 8.26]). In the sequel, 
if no precise reference is given for an algorithm, then it can be found in [32], 
together with a complexity analysis in terms of M. 



3 Computation Modulo a Small Prime I 

In the classical School algorithm for elliptic curves, a formal ^-torsion point is 
used: the computations are made with a point P = (x,y), where x cancels the 
£-th division polynomial tpi and y is linked to x by the equation of the curve. In 
other words, we work in a rank 2 polynomial algebra quotiented by two relations: 
^p[x,y]/ii’i{x),y'^ - {x^ + ax + b)). 

In genus 2, we imitate this strategy. According to [18], it is enough to consider 
the f-torsion divisors of weight 2 (this is not surprising since a generic divisor has 
weight 2). Let thus D be a weight 2 divisor given in Mumford representation, D = 
{x^ + u\x + uo, v\x + vq). Then there exists a radical ideal h of Fp[C/i, I/q, Vi, Vq] 
such that 

DeJ(C)[£] 4=^ (^(ui,Mo,fi,uo) = 0, G Jf. 

By analogy with elliptic division polynomials, this ideal Ii is called the £-th divi- 
sion ideal. There are — 1 non-zero Atorsion elements, so that If, has dimension 
0 and degree at most — 1; generically, by the Manin-Mumford conjecture [15, 
p. 435], all non-zero torsion divisors have weight 2, so the degree of If is exactly 

t - 1 . 

From the computational point of view, a good choice for a generating set of If 
is a Grobner basis for a lexicographic order. Using the order U\ <Uo <V\ <Vo, 
we can actually predict the shape of this Grobner basis. Indeed, if D is an 
f-torsion divisor, then its opposite —D is also Gtorsion, so it has the same u- 
coordinates, and opposite n-coordinates. Furthermore, we make the genericity 
assumption that all the pairs {D, — D} of Gtorsion divisors have different values 
for u\. Then, the Grobner basis for the ideal If takes the form 



r Uo - VfSo{Ui) 

^ I V^-Sf{Uf) 

]Uo- Ro{Ui) 

[RiiUf), 

where Ri is a squarefree polynomial of degree — l)/2 and Rq,Si,So are 
polynomials of degree at most — l)/2 — 1. If such a Grobner basis for If 
is known, then it is not difficult to imitate Schoof’s algorithm, by working in 
the quotient algebra ¥p[Ui,Uo,Vi,Vo]/If. Unfortunately, no easy computable 
recurrence formulae are known that relate Grobner bases of ^division ideals for 
different values of £, just like for division polynomials of elliptic curves. Therefore 
we shall start with the approach of [11] using Gantor’s division polynomials and 
show that we can derive efficiently a multiple of R\ . 
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3.1 Cantor’s Division Polynomials 



Let us fix a prime 1. Cantor’s division polynomials [ 8 ] are polynomials in Fp[X], 
denoted by do, d\, c?2, cq, ei, A, with the following property: for a divisor P = 
{x — xp,yp) of weight 1 , the multiplication of P by ^ in J(C) is given by 



[^]P 



2 di{xp) do{xp) ( ei{xp) eo{xp)\\ 

d2{xp)^ d2{xp)' \A{xp)^ A{xp))/' 



These polynomials have respective degrees — 1 , — 2 , 2 ^^ — 3 , — 2 , 3 £^ — 3 , 

3 £^ — 2 and are easily computed by means of recurrence formulae. Even if a naive 
method is used, the cost of their computation is by far negligible compared to 
the subsequent operations. 

Now, let D = {x^ + U\x + Uo, V\x + Vo) be a generic divisor of weight 2 , where 
U\, Uo, Vi, Vo are indeterminates, subject to the condition that + Uix + Uo 
divides (Vix + Vo)^ — f ■ The divisor D can be written as the sum of two weight 
1 divisors P\ = {x — Xi,Yi) and P2 = {x — Xi,Y-2), where U\ = —{Xi + X2), 
Uo = X1X2, and where Yi and Y2 satisfy + Vo = Yi and V1X2 + Vb = ^2- 

Since D = Pi + P2, then D is Ctorsion if and only if [i]Pi = — [^]P2- 

Rewriting this equation using Cantor’s division polynomials, we get four 
equations that must be satisfied for D to be Ctorsion. Some of these equations 
are multiples of Xi — X2'- this is an artifact due to the splitting of D into divisors 
of weight 1 and if this is the case one should divide out this factor. Hence we 
obtain the following system: 



r Ei{Xi,X2) ={di{Xi)d2{X2)-di{X2)d2{Xi))/{Xi-X2) = 0, 

I P2(Xi,X2) =(do(Xi)d2(X2)-do(X2)d2(Xi))/(Xi-X2) = 0, 

) Fi(Xi,X2,Yi,Y 2)= Yiei(Xi)eo(X2) + Y2ei(X2)eo(Xi) = 0, 

[P2(^i,^2,yi,T2) = Yie2(Xi)eo(X2) + Y2e2(X2)eo(Xi) = 0. 



Consider now the finite-dimensional Fp-algebra 



B = Fp[Xi,X2,Yi,Y2]/(Ei,E2,Fi,F2,Y,^ 



f(Xi),Yi-f(X2)). 



In a generic situation, the minimal polynomial of —(Xi + X2) in B is then 
precisely the polynomial i?i that appears in the Grobner basis of U (failures 
could occur, e.ff., if there exists an Ctorsion divisor D = Pi + P2, such that [i]Pi 
is not of weight 2 ). We will see below that the whole Grobner basis of It is not 
necessary to the point-counting application we have in mind. Thus, we can start 
by working with the first two equations Ei,E2, which involve Xi,X2 only. 

These polynomials were already considered in [ 11 ]. The strategy used in that 
paper consisted in computing the resultant of Ei , E2 with respect to X2 for a 
start, from which it was possible to deduce the coordinates of [£]-torsion divisors. 
This approach did not take into account the symmetry in {Xi, X2)', we now show 
how to work directly in Mumford’s coordinates Ui = —{Xi + X2), Uo = X1X2, 
so as to compute resultants of lower degrees. 
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3.2 Resymmetrisation 

The polynomials Ei{Xi, X2) and E2{Xi, X2) are symmetric polynomials. It is 
well known that they can be expressed in terms of the two elementary symmetric 
polynomials X1X2 and Xi + X2- The heart of Mumford’s representation is the 
use of this expression, but this had been broken in order to apply Cantor’s divi- 
sion polynomials. We call resymmetrisation the method that we present now to 
come back to a representation of bivariate polynomials in terms of the elemen- 
tary symmetric polynomials. This is not as trivial as it seems, since the naive 
schoolbook method to symmetrize a polynomial yields a complexity jump in our 
case. 

Let us consider the unique polynomials €1 and £2 in Vp[Uo,Ui\ such that 
<Bi{XiX_^-Xi - X2) = Ei{XuX2) and €2(XiX2,-Xi - X2) = E2{X^,_^2) 
and let Ri G Fp[C/i] be their resultant with respect to Uq; then Ri divides Ri. 

We want to use the following evaluation/interpolation techniques to compute 
Ri'. evaluate the variable Ui at sufficiently many scalars ui, compute the resul- 
tants of €i{Uo,ui) and €2{Uo,ui), and interpolate the results. Unfortunately, 
computing with (Si and €2 themselves has prohibitive cost, as these polyno- 
mials have monomials. However, their specific shape yields the following 

workaround. 

Let /i be a polynomial in Fp[X] and Xi and X2 be two indeterminates. Then 
the divided differences of h are the bivariate symmetric polynomials 

Ao{h) = {h[Xi)-h{X2))/{Xi-X2) and Ai{h) = (x^h{X2)-X2h{Xi)^ /{X1-X2). 

We let 2to(/i) and be the unique polynomials in Fp[C/o,C/i] such that 

2to(^)(^i^2j — X2) = Aq{K) and 2ti(/i)(^i^27 ~Xi ~ ^2) = AffK). Then 

a direct computation shows that 

2ii = 2lo((^i) 2li((i2) — 210 (^ 2 ) 

^2 = 2lo(do) 2li((i2) — 2to(c?2) 2ti((io) in Fp[C/o, Ui]. 

Given an arbitrary polynomial h in Fp[X] and ui G Fp, we show in the last 
paragraphs how to compute the polynomials 2lo(^) and 2li(/i) evaluated at Ui = 
ui efficiently. Taking this operation for granted, we deduce Algorithm 2 for 
computing the resultant R\ of (Si and ^2- 



Algorithm 2 Computation of the resultant Ri 

1. For deg(i?i) + 1 different values of ui G Fp, do 

(a) Compute 2lo(do), 2li(do),2lo(di),2li(di),2lo(d2),2li(d2) evaluated at Ui = ui. 

(b) Deduce £1 and £2, evaluated at Ui = ui. 

(c) Compute Ri{ui) as the resultant in Uo of £1 and £2. 

2. Interpolate Ri from the pairs (mi, 7?i(ui)). 



The classical estimates for the degrees of resultants imply that the degree 
of i?i is 6£'^ — -I- 12; thus to be able to perform the interpolation, it is 
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necessary to take at least — 17£^ + 13 different values of ui. In practice, it is 
recommended to take a few more values of ui, in order to check the computation. 
Note that the resultant of Ei,E 2 has degree — 22£^ + 15. 

We finish this subsection by detailing our solution to the problem raised 
above: given ui in Fp and h in Fp[X], how to compute the polynomials 2lo(^) 
and 2ii{h) evaluated at Ui = u\ efficiently? It is immediate to check the following 
identity: 

h{X) = ^i{h){Uo,ui)X + ^o{h){Uo,ui) mod {X"^ + mX + Uq). 

Thus, the problem amounts to reduce h modulo X“^ + mX + Uq in Fp[[/o][-^]- 
Our solution relies on the following primitive: If /i is a polynomial of degree N 
in Fp[X] and a is a scalar in Fp, then the coefficients of h{X + a) can be deduced 
from the coefficients of h{X) for one polynomial multiplication in degree N, 
see [2]. We call this primitive var-shift. 

The main idea is now to rewrite the relation X^ + u\X + [/q = 0 in the form 
{X + U\j2'f = Ui/4 — C/q. Let Y = X + u\/2, and k in Fp[X] such that h{X) = 
k{Y). We group the coefficients of k according to the parity of their indices, 
forming the polynomials kodd and keven such that k{Y) = keven{Y^) +Y kodd{Y^) ■ 
Taking h modulo X'^ + uiX + Uq, we have 

h{X) = fceven + (^ + Y ) ~ . 

Thus, computing 2to(^) and 2ii{h) can be done by Algorithm 3 below. 



Algorithm 3 Reduction of h{X) modulo X'^ + mX + Uq in Fp[[/o][Al] 

1. Compute k from h using var-shift. 

2. Decompose k in fcodd and keven- 

3. Compute keven (mi/4 — Uo) and fcodd (mi/4 — Uq) using var-shift. 

4. Recombine their coefficients to get h{X) mod + uiX + Uq. 



3.3 Parasites Prediction and Removal 

In [I I] it is shown that a factor of the resultant of Ei , E 2 can be predicted and 
used to speed-up the computation. This prediction is still possible in the context 
of the resymmetrisation, and the factor of i?i corresponding to such roots can 
be computed efficiently. The roots of this factor of Ri are called parasites: they 
are not the C/i-coordinates of an Atorsion divisor, and actually appear as a 
by-product of our elimination scheme. Thus, they can be safely factored out. 

If xi and X 2 in Fp cancel c? 2 , then Ei{xi,X 2 ) = E 2 {xi,X 2 ) = 0. The Ui 
coordinates corresponding to these solutions can be written as — (a;i + X 2 ) where 
xi and X 2 are roots of (£ 2 - Hence we obtain the following factor p of i?i: 

p(ui) = n n (C/l + Xi+ X2)- 

d2{xi)—0 d2{x2)—0 
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The factor p is a parasite, as generically it does not lead to any ^-torsion divisor. 
Then p divides R\ but not R\, so we lose nothing in eliminating it from R\. The 
polynomial p is computed using an algorithm of [4] dedicated to such questions. 
Then Step 2. in Algorithm 2 is replaced by the interpolation of R\j p from the 

pairs (Mi,i?i(Mi)/p(Mi)). 

The degree of p is — 12^^+9, so the degree of i?i/p is 2f^ — 5£^ + 3, reducing 
by a factor of about 3 the number of values of ui that have to be considered 
in Algorithm 2. As an output, we now have at our disposal the polynomial 
93i = R\/ p, which is a multiple of Ri. For comparison, the resultant computed 
in [11] has degree — 10^^ + 6, which is twice the degree of 9di. 



3.4 Factorization and Reconstruction of a Torsion Element 

Once the resultant 91i has been computed, the task is not finished: indeed, what 
we want is the representation of an f-torsion divisor, so that we can plug it 
into the equation of the Frobenius endomorphism. Here, there are two possible 
strategies: 

1. Refine IHi to get exactly Ri and reconstruct from it the whole Grobner basis 
of li describing a generic Gtorsion divisor. 

2. Look for small degree factors of 9di, check if they are indeed factors of Ri 
and deduce the corresponding f-torsion divisors. 

By analogy with School’s algorithm for elliptic curves, one would think that 
the first choice is the most pertinent. However, refining IHi into i?i can be a costly 
task, and if there exist indeed small factors of fHi, then the second solution is 
faster. That is the reason why we chose the second solution in our experiments 
described below. However, especially for ^ = 17 or 19, we could feel the limit 
of this choice. Therefore, for larger computations, we should probably switch to 
the first solution. 

We now describe the second strategy with more details. 

Let ui be a root of 91i in an extension Fq of Fp. We evaluate the polynomials 
El and E 2 at {Xi, —ui — Xi) in Fg[Ai], and obtain two univariate polynomials 
in Fg[Ai]. Their GCD is (generically) a polynomial of degree 2 which might, or 
not, be the u-polynomial of an f-torsion divisor. To settle the question, we take 
into account the last two equations Ei and E 2 , and check that our candidate u- 
polynomial is compatible with them. If not, we try again and select another root 
of . Otherwise, we deduce the u-polynomial, and build an Gtorsion divisor de- 
fined over Fq . It is then plugged into all possible candidates for the characteristic 
polynomial x(T) mod £ to detect the right one. 

We now concentrate on the problem of finding irreducible factors of fHi, 
using classical ingredients of polynomial factorization. It is interesting to find 
the factors of small degree first, as it reduces the subsequent computation. Thus, 
we start by detecting the linear factors, given by gcd(A^’ — A, 91i(A)). If this 
GGD is non-trivial, then the corresponding roots are separated and processed 
before maybe continuing the factorization. Then factors of degree d are detected 
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for increasing d by computing gcd(X^ — X, IHi (^)), and when we find a root, it 
is used to try to build an ^-torsion divisor that perhaps determines x(T) mod £. 

This can be improved using the fact that the factorization pattern of R\ is 
partly predictable. Indeed, due to the Galois structure induced by the group 
law in J(C), some factorization patterns are forbidden. We can then proceed as 
follows: we first precompute the list of all possible patterns corresponding to £ 
and p, and we start looking for irreducible factors by increasing degree as before. 
At each step, the number of factors we find eliminates some patterns in the list. 
Then we look in the remaining patterns for the next smallest possible degree 
and try directly to catch factors of that degree. If there is a large gap between 
the current degree and the next one, the Baby-step/ Giant-step strategy of [30] 
using modular compositions can yield a significant speed-up compared to the 
classical powering algorithm. 

As another application of the factorization patterns, we mention the influence 
of the choice of p: if p = 1 mod £, then we can infer that the smallest irreducible 
factor of Ri has degree at most {£'^ + l)/2, compared to possibly 0{£'^) in the 
general case. We do not give details on the determination of the possible patterns 
for lack of space. The idea is similar to the one used in [12] for modular equations. 

3.5 Complexity 

We start by evaluating the cost in Fp-operations of one iteration of Step 1 in 
Algorithm 2. Using Algorithm 3, the cost of computing 2lo(<^o)> 2li(do)) 2lo(di), 
21 o(c? 2), 2li(ci2) is 0(M(£^)), since the di have degree Deducing 

di and £2 involves 4 more multiplications of polynomials of degree 0{£‘^) at a 
cost of 0(M(£^)). The resultant of £1 and £2 can then be computed using the 
HGGD algorithm at a cost of 0(M(^^) log^). 

Hence the resultant computation is dominating this step; this would not 
have been the case without the var-shift strategy. The loop in Step 1 must be 
repeated for O(f^) different values of ui, so the cost of Step 1 is log^) 

operations in Fp. Step 2 is a degree 0{£^) polynomial interpolation, which can 
be done using 0{M{£‘^) \og£) operations in Fp. 

We now evaluate the influence of the parasite prediction on the complexity. 
The polynomial p is computed using the algorithm of [4] at a cost of 0(M(^^)) 
operations. Then its evaluations at the 0{£*) different values of u\ can be de- 
duced using 0{M{£‘^) log^) operations in Fp. Therefore, the cost of precomputing 
the effect of the parasite factor is negligible compared to the cost of computing 
Rl. 

Knowing the values of p on the different values of u\ allows to interpolate 
a polynomial of degree 3 times less. This yields a speed-up by a factor at least 
3 (and even more in practice, depending on the function M). Also the input of 
the factorization step is 3 times smaller, thus gaining a constant factor in that 
phase. 

The factorization phase is less easy to analyze, since its complexity varies 
quite a lot depending on the degrees of the smallest irreducible factors. Denote 
by d the degree of the smallest factor of that allows to deduce x('T) mod £. 
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By the powering algorithm, computing gcd(XP — X, EHi(X)) can be done using 
0((c?logp+logf)M(f^)) operations in Fp and isolating one of the factors of degree 
d has similar expected complexity. From an irreducible factor of degree d, the 
reconstruction of an f-torsion divisor D defined over Fpd requires to manipulate 
polynomials of degree 0(£^) over Fpd, so it costs 0 {M{d^'^)\og£) operations in 
Fp. 

Finally, the detection of the invalid choices for (si, S 2 ) mod I requires 4 ap- 
plications of the Frobenius endomorphism to D and 0{£) group operations in 
J(C/Fpd), that is 0((^log d -I- logp)M(c?)) operations in Fp. 

If d is small enough (say d = 0{£)), this factoring strategy is satisfactory 
since its complexity is not worse than computing 9Ii, if logp is not too large. 
However, if d is 0{£^), then the above complexity estimate of the factoring step 
is catastrophic. Using the known factorization patterns is useful in this context, 
even if the precise analysis is complicated. We expect that working with the whole 
ideal Ii (thus avoiding the factorization) is more suited for a proper analysis; 
cleaning all details of that approach is out of the scope of this article. 

4 Computation Modulo Small Prime Powers 

Given a prime £, from the knowledge of an Gtorsion divisor in J(C), one can de- 
duce ^^-torsion divisors by performing a division by £ in the Jacobian; iterating 
this process yields divisors of ^^-torsion, £^-torsion, . . . This can be used within 
Schoof’s algorithm, so as to obtain modular information on the polynomial x(T) 
modulo £, and so on. As appears below, there are many computational diffi- 
culties to overcome before this can be efficiently applied in practice. We mostly 
dedicated our efforts on the case £= 2, improving the techniques of [11], and 
spend much of this section describing this case. We thereafter briefly describe 
the case £ = 3. 

In the case £ = 2, this lifting strategy was already used in [11]. It starts from 
the data of a 2-torsion divisor; then the iterative step is as follows. Suppose that 
a divisor Dk of 2^-torsion is given; we denote by Fg the extension of the base 
field Fp over which Dk is defined. We make the assumption that Dk has weight 
2, and write Dk = + u\x + uq, v\x + vq). 

There are exactly 2"^ = 16 divisors D such that \2]D = Dk- Let us make 
the genericity assumption that all these divisors have weight 2, and introduce 
4 indeterminates Ui, C/q, Ui, Vq to denote the coordinates of D. Using doubling 
formulas coming from Cantor’s addition algorithm, we obtain a system Tk that 
relates D and Dk' 

Hi{Ui,Uo,Vi,Vo) = ui, Gi (Ui , Uo, Ui , Uo) = 0, 
H 2 {Ui,Uo,Vi,Vo) = uo, G2(C/i,[/o,Ui,Uo) = 0, 
Ho{UuUo,Vi,Vo) = vi, 

H4Ui,Uo,Vi,Vo) = Vo, 

where Hi, H 2 , H^, H 4 are rational functions, and G\,G 2 are polynomials which 
specify that x^ + Uix+Uo divides (Vix+Vo)^ — f ■ Cleaning denominators, we are 
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left with a polynomial system in C/i, [/q, Vi, Vb, with ui,uv\,vo as parameters. 
We make the further genericity assumption that the ideal generated by Tk admits 
a Grobner basis of the form 

r Vo - LoiUi) 

I Vi-Li(Ui) 

] Uo - Mo{Ui) 

where M\ G Fg[C/i] has degree 16 and Lq,Li,Mo have degree at most 15. Since 
Dk is 2^-torsion, this provides a description of 16 divisors of 2^+^-torsion. 

The next step is to factorize the polynomial Mi in Fg[{7i]. Any factor of Mi 
can be used to try and determine the characteristic polynomial x mod but 

some of them might give no information. Let r be one irreducible factor of lowest 
degree that allows the determination of y mod 2^+^, n its degree, and ui a root 
of r in Fgn. Then the divisor Dk+i = (a;^ + uix + Mo{ui), Li{ui)x + Lo{ui)) is 
of 2^+^-torsion. It can be used for the next loop of the algorithm. 

From the computational point of view, the main tasks to perform at the 
/cth step are the following: First, solve a zero-dimensional polynomial system of 
the form \2]D = Dk, then factorize a polynomial of degree 16. The following 
subsections detail our contributions on these questions. It should be clear that 
these computations are done with polynomials defined over an extension Fg of 
the base field Fp, whose possibly high degree is the main cause of concern. 



4.1 Performing a Division by 2 

All the systems Dk that we consider are obtained in the same manner; as k 
grows, only their right-hand sides vary. The difficulty comes from the fact that 
the field of definition of ui,uo, vi,vo is an extension of Fp of possibly high degree. 

The solution, suggested in [11], is to solve the system Dk for generic values 
Ui , Uo , vi , Vo . There are of course only two degrees of freedom, asa:^-|-Uia;-|-Uo 
must divide (via;-|- Vo)^ — /. Working over the base field Fp(ui, Uo), we are thus 
led to consider the system Dgen in the unknowns Vi, vo, Gi, Gq, Vi, Vb 



D, 



gen 



Hi{Ui,Uo,Vi,Vo) = ui, 
H2{Ui,Uo,Vi,Vo) = Uo, 
Ho{Ui,Uo,Vi,Vo)=^x, 

H4Ui,Uo,Vi,Vo)=^o, 



Gi{Ui,Uo,Vi,Vo) =0, 
G2{Ui,Uo,Vi,Vo) =0, 
Gi(ui,Uo,vi,vo) = 0, 
G2(ui,Uo,Vi,Vo) = 0, 



where the last two equations express that a;^-|-Uia:-|-Uo divides (vix-|- vo)^-/. 
Generically, the solutions of this system can be represented the following way: 



r ( 



Vo — Lo(Gi, vi), 
Ri-Li([/i,vi), 
Go-Mo([/i,vi), 
Mi(Gi,vi), 

Vo - A^i(vi), 
A’o(vi). 
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All these polynomials have coefficients in Fp(ui,Uo). The polynomial Nq has 
degree 4, A^i has degree less than 4, Mi has degree 16 in Ui and less than 4 in 
vi and Lo,Li,Mo have degree less than 16 (resp. 4) in Ui (resp. Vi). 

Systems like !Fgen that involve free variables are difficult to handle. A direct 
application of a Grobner basis algorithm over Fp(ui, Uq) fails by lack of memory, 
so we used the algorithm of [28], dedicated to such situations, to compute T. 
Once T is known, it can be specialized on the coordinates of the divisor Dk, 
realizing its division by 2. 

The solution presented in [11] followed the same approach, with a notable 
difference: instead of considering the representation T, another representation 
was used, which involved polynomials of degree 64. Our approach reduces this 
degree to 16, and makes the subsequent computations much easier. 

In terms of complexity, the polynomials defining the system Tgen have degree 
bounded independently from p; thus, computing T takes a bounded number of 
operations in Fp. Next, at each division step, we must specialize Ui,Uo,Vi,vo 
on the coordinate of the divisor Dk in T. If Dk is defined in a degree d extension 
of Fp, then this substitution requires 0(M(d)) operations in Fp. 

4.2 Factorization Using the Action of the 2-Torsion 

After performing the division by 2, we are left with a description of the solution 
set Vk of the system Tk by means of the following representation: 

Mi([/i) = 0, Uo = Mo{Ui), Ui=Li(C/i), Vo = Lo{Ui) 

Now, we have to factorize the polynomial Mi G Fg[C/i]. It has degree 16, which 
is moderate; the main issue is the degree of Fq over its prime field: in the com- 
putations presented below, Fq had degree up to 1280 on its prime field. We now 
show how to simplify this factorization, using the natural action of the 2-torsion 
group J(C)[2] on Vk, in the spirit of [14]. 

Let us see U\ as a coordinate function on the set of weight 2 divisors (the 
choice of Ui is arbitrary, but makes the computation easier). To any subgroup G 
of J(C)[2], we associate the averaging operator Sq '■ D ^ ^geG Ui{D+g), which 
is defined as soon as all divisors D + g have weight 2. Now, G acts on Vk, and 
each orbit has cardinality |G|. The function Sq takes constant values on each 
orbit, so it takes at most [J(C)[2] : G] distinct values on 14 . By an additional 
genericity assumption, we may suppose that Sq takes precisely [J(C)[2] : G] 
distinct values on 14 . 

To realize this algebraically, let us introduce the “divisor” Dq = {x^ -I- Gia;-|- 
Mq,Lix + Lo), defined over ¥q[Ui]/Mi. Given any 2-torsion divisor g, we can 
apply the addition formulas to Dq and g, performing all operations in ¥q[Ui]/Mi 
(the addition formulas require divisions, but if one of them fails it gives a proper 
factor of Ml). We obtain a “divisor” Dg = (x^ -I- + Uq^\Vi^^x + 

where u[^\ are in Fq[[7i]/Mi; by construction, if D is any divisor 

in 14, then the Gi-coordinate of U -|- g is obtained by evaluating u[^'’ on the Ui~ 
coordinate of D. Let thus sq = X^gec ^ lFg[Gi]/Mi. Then for any D G 14, 
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the value Sa{D) is obtained by evaluating sq on the C/i-coordinate of D. From 
the above discussion on the function Sq, we deduce that the minimal polynomial 
of SG in ¥q[Ui]/Mi has degree [J(C)[2] : G]. 

As an abstract group, J(C)[2] is isomorphic to (Z/2Z)^. Let us consider sub- 
groups 

Gi ~ (Z/2Z) c G2 ~ (Z/2Z)2 c G3 ~ (Z/2Z)3 c J(C)[2] ~ (Z/2Z)^. 

Using the above construction, we associate to these subgroups the elements si, 
S 2 , S3 of¥q[Ui]/Mi. Introducing their minimal polynomials, we deduce that the 
extension Fg ^ ¥q[Ui]/Mi is isomorphic to the quotient of Fp[Gi, S'!, 52, S 3 ] by 
some polynomials 

r Tu{Ui,Si, 82,33) 

I 82,83) 

1 T2{S2,S3) 

[ T3{83), 

where all polynomials have degree 2 in their main variables, resp. S3, 82, Si, U\. 
Using this decomposition, we avoid the factorization of Mi: We start by fac- 
torizing T 3 over Fq, and adjoin one of its roots to F^; then we factor T 2 over 
this new field, and so on. Thus, only the computation of T 3 ,T 2 ,Ti,Tu and four 
square root extractions are needed. 

Suppose that q = p'^; then all polynomials T3,T2,Ti,Tj/ can be computed 
in 0(M(d)) operations in Fp. For square-root extraction, we used a factoriza- 
tion algorithm quite similar to those of [33] and [17]. Using such algorithms, 
the expected complexity of extracting a square root in Fpd is 0{C{d) log(d) -I- 
M((i) log(p)) operations in Fp, where C{d) denotes the cost of modular composi- 
tion in degree d, so that C{d) G 0(d^ -I- VdM{d)), see [6]. One should note that 
this whole process only saves a constant factor over the factorization of Mi from 
scratch; however, it was quite significant in practice. 

In the worst case, after k lifting steps, the degree d might be of order 0(16^). 
In this case, taking into account all previous estimates, the expected complexity 
to obtain a 2^-torsion is expected to be in 0(/cG(16^) -(- M(16^) log(p)) base field 
operations. However, our experiments showed that with a surprising amount 
of uniformity, the degree of this extension was actually in 0(2^), so the above 
complexity bound was by far overestimated. 

4.3 Performing a Division by 3 

Most of what was described above extends mutatis mutandis to arbitrary £. 
Nevertheless, the computations become much more difficult: even for f = 3, we 
did not solve the system describing the division of a generic divisor by 3. Thus, 
we used the plain strategy to divide torsion divisors by 3, by means of successive 
Grobner bases computations, over extensions of Fp of increasing degrees. As 
the tables below reveal, the time required for solving these polynomial systems 
makes this approach much more delicate than for 2-torsion. As a consequence, 
we did not implement the equivalent of our improved factorization process, and 
used a plain factorization strategy. 
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5 Implementation and Experiments 

We implemented a whole point-counting algorithm including all the above- 
mentioned improvements and the MCT algorithm [21], first within the Magma 
computer algebra system [3]. Then, the critical parts of the computation modulo 
small primes and the MCT algorithm were implemented in C-| — h using the NTL 
library [29] . The communication between different parts of the program is done 
using files for small communications or named pipes in the case of a heavy in- 
teraction. For instance, the analysis of the factorization pattern of the resultant 
i?i is implemented in a Magma program that sends elementary factoring tasks 
(like a modular composition) to a running NTL program. 

To test our program we ran it on several randomly chosen curves defined over 
Fp with p = 5 X 10^^ -I- 8503491, with the hope to find some cryptographically 
secure Jacobians. An early abort strategy was used to eliminate curves C for 
which either the Jacobian order or the Jacobian order of the twisted curve was 
discovered to be non-prime. In particular, / must be irreducible to ensure the 
oddity of the group orders. 

We have computed the characteristic polynomials of 32 randomly chosen 
curves, that yield 64 group orders, taking into account the twists. Due to the 
early abort strategy, these group orders are not divisible by any prime less than 
or equal to 19. Among them, 7 were found to be primes, meaning that the 
corresponding Jacobians are secure against all known attacks. One particular 
curve has the nice feature that both itself and its twist have a prime order 
Jacobian. The data for that curve can be found in the appendix. 

Table 1 gives statistics for the runtimes of the different steps of the algorithm. 
They are given in seconds on a Pentium IV at 2.26 GHz having 1 GB of central 
memory. Due to the early abort strategy, the statistics for the factoring phase 
are made on less curves for larger f, e.g., 39 curves for £ = 5, versus 21 curves for 
I = 19. More curves were computed on different computers and were not taken 
into account for the statistics. 

The modular composition used for factorization is done using Brent and 
Kung’s algorithm [6]. For f = 17 and i = 19, the precomputation (Baby steps) 
is not balanced with the Giant steps due to memory constraints. This explains 
why the runtimes for those values look so bad compared to other values. 

As for the torsion lifting, 2-torsion was much easier to handle than 3-torsion, 
as we computed divisors of order 1024 = 2^°, versus 27 = 3^ only. The curves we 
used were selected so that they have 8-torsion defined over Fpio and 3-torsion 
defined over Fp4. Then in almost all cases, the 2®-torsion divisors, f > 3, were 
defined in extensions of degrees 10, 20, 40, 80, . . . , and the 3*-torsion divisors in 
extensions of degrees 4, 12, 36, . . . 

After the modular computations, we know x(T) mod 44696171520 = 2^° • 
3^ • 5 • 7 • 11 • 13 • 17 • 19 ; for comparison’s sake, note that in [11], the modular 
computation went to 3843840 = 2®-3-5-7-ll-13.To conclude; we run the MGT 
algorithm. Due to memory requirements, we used a Xeon at 2.66 GHz with 2 
GB of memory; this computation takes about 3 hours and 1.7 GB per curve. 
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Computations Modulo Small Primes 


1 


5 


7 


1 


13 


17 


19 


1 Theory | 


generic degree of 


1,128 


4,560 




56,280 


165,600 


258,840 




generic degree of p 


2,209 


9,025 


57,121 


112,225] 


330,625 


516,961 




Time computing p 


0.3 


2 


23 


52 


256 


374 


0(M(G)log^) 


Time Step 1, Algo 1 


6.5 


63 


1,504 


5,072 


34,869 


69,162 


0(t^M(t^)log£) 


Time Step 2, Algo 1 


0.3 


2 


17 


39 


182 


275 


0(M(t^)logt) 


Total time Algo 1 


7.1 


67 


1,544 


5,163 


35,307 


69,811 




Time X'^ mod 


3.3 


15 


77 


280 


2,251 


2,294 


0(M(G)logp) 


Time Prec. Mod Comp 


0.8 


8 


105 


525 


3,267 


2,122 


0{eu{i^)) 


Time Apply Mod Comp 


1.1 


11 


225 


976 


20,768 


51,710 


0(£8 +£ 2 m (£ 4 )) 


Factoring Time (Min) 


12.5 


59 


524 


1,055 


23,537 


15,061 




Factoring Time (Max) 


61 


353 




23,083 


206,860 


359,330 




Factoring Time (Avg) 


42 


193 




9,415 


117,785 


145,734 





2- and 3- Torsion Lifting 


Torsion 


Total Time (Min) 


Total Time (Max) 


Total Time (Avg) 


27 


10,901 


11,317 


11,511 


1024 


71,421 


103,433 


90,071 



Lifting to 1024-torsion 
Details for a sample curve 




Generic Resolution: 


5,104 


sec 


Torsion 


Degree 


Specialization 


Factor 


Deducing \ 


8 


10 


1 


12 


1 


16 


20 


1 


37 


3 


32 


40 


3 


178 


16 


64 


80 


15 


543 


50 


128 


160 


41 


1,423 


146 


256 


320 


115 


4,627 


459 


512 


640 


390 


16,776 


1,602 


1024 


1280 


1301 


58,408 


6,590 



Lifting to 27-torsion 
Details for a sample curve 


Torsion 


9 


27 


Degree 


12 


36 


Grobner 


745 


3,811 


Factor 


914 


5,917 


Deducing \ 


3 


19 



Table 1. Runtimes in seconds for the torsion computation on a 2.26 GHz Pen- 
tium IV. 



Putting all this together, a complete point-counting for a random curve over Fp 
takes on average about 1 week. 

For comparison, in the record-curve computation in [11] the School- like part 
was used up to ^ = 13. Just the modulo 13 computation had taken 205 hours 
on a Pentium II at 450 MHz. A crude estimation gives a runtime of about 40 
hours on the same computer as the one we used in this paper. This has to be 
compared with the 4 hour runtime that we obtained with our improvements and 
our new implementation. 

Are the Curves “Random”? In our computer experiments, the “pure ran- 
domness” is biased in several places. Due to the cryptographical requirements. 
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the group order must be prime, so “random curve” should be understood as ran- 
dom among the curves with prime order Jacobians, but that is standard. Also a 
bias is introduced by our early abort strategy on both the curve and its twist. 

A more important bias is in the choice of p. We choose a prime which is 
congruent to 1 modulo all the small primes i for which we do the Schoof com- 
putation. This was meant to speed-up the factorization of the resultant fHi, as 
mentioned in Section 3.4. This dependency of the runtime of the algorithm in the 
form of p can be avoided by working in the formal algebra instead of factoring. 
In fact, in more recent versions of our software, we implemented this and the 
runtimes are slightly better for large i. Hence, this bias could be removed. 

The last bias that we introduced is the particular shape of the 8- and 3- 
torsion that we imposed. The goal was mostly to have the same kind of behav- 
ior for all the curves with respect to the division by 2 and by 3. Indeed, the 
division algorithms rely on Grobner basis computations and are very hard to 
implement and to debug. The technical difficulty of handling our computation 
on many computers, with interactions between Magma and NTL led us to add 
this simplification that made our code more reliable. 

Our NTL implementation of the Schoof-like part has been made freely avail- 
able [9]. The Magma implementation of the division algorithms is not stable 
enough to be exported in the present state. 

6 Conclusion and Perspectives 

In this paper, we have detailed algorithms used to compute the cardinalities of 
Jacobians defined over prime fields of order about 10^"^. Most of our attention was 
aimed at improving the techniques for torsion computation introduced in [11]. 

We expect more improvements to be possible. For instance, for torsion index 
about 17 or 19, the factorization strategy of Subsection 3.4 becomes lengthy, 
and comparative tests with other strategies are necessary, possibly using the 
modular equations of [12]. Also, our techniques for lifting the 3-torsion are still 
quite crude, as we would like it to be as efficient as that of 2-torsion. We have 
designed a birthday paradox version of the MCT algorithm, to be described 
elsewhere [13], that loses a constant factor in runtime but is highly parallelizable 
and requires almost no memory. In future work, we also plan to use it on top of 
our torsion computation algorithms. 
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Appendix: A Cryptographically Secure Curve 

Let C be defined by = f{x) over Fp with p = 5 x 10^^ + 8503491, and 

f{x) = x^ + 2682810822839355644900736x3 -b 226591355295993102902116x2 -b 
2547674715952929717899918X -b 4797309959708489673059350. 

Then its characteristic polynomial is x(^) = T'^ — s\T^ + s^T'^ — ps\T + 
where 



Si = 1173929286783 and sz = 4402219446392186881834853. 

Thus the cardinality of its Jacobian is 

TVj = ;y(l) = 24999999999994130438600999402209463966197516075699, 

which is a 164-bit prime number. Furthermore the quadratic twist of C has a 
Jacobian with group order 

TVj = ;y(-l) = 25000000000005869731468829402229428962794965968171, 



which is also a prime number. 
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Abstract. Denoting by P = [k\G the elliptic-cnrve double-and-add 
multiplication of a pnblic base point G by a secret k, we show that allow- 
ing an adversary access to the projective representation of P, obtained 
using a particular double and add method, may result in information 
being revealed about k. 

Such access might be granted to an adversary by a poor software im- 
plementation that does not erase the Z coordinate of P from the com- 
puter’s memory or by a computationally-constrained secure token that 
sub-contracts the affine conversion of P to the external world. 

From a wider perspective, our result proves that the choice of representa- 
tion of elliptic curve points can reveal information about their underlying 
discrete logarithms, hence casting potential doubt on the appropriateness 
of blindly modelling elliptic-curves as generic groups. 

As a conclusion, our result underlines the necessity to sanitize Z after 
the affine conversion or, alternatively, randomize P before releasing it 
out. 



1 Introduction 

There are various systems of projective coordinates that are used in conjunction 
with elliptic curves: the usual (classical) system replaces the affine coordinates 
(x,y) by any triple {X,Y,Z) = {Xx,Xy,X), where A yf 0 is an element of the 
base field. 
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From such a {X, Y, Z), the affine coordinates are computed back as 
(a; = ^, y = ^) = Affine(X, Y, Z) 

A variant of the above, often called Jacobian Projective coordinates, replaces 
the affine coordinates (x,y) by any triple (A^a;, A^y, A), where A is a non zero 
element of the base field. From (A, Y, Z), the affine coordinates are computed as 

= ^, y = = Affine(A, Y, Z) 

These coordinates are widely used in practice, see for example [1] and [4]. 

This paper explores the following question: 

Denoting by P = [k]G the elliptic-curve multiplication of a public base point 
G by a secret k, does the projective representation of P result in information 
being revealed about k? 

From a practical perspective access to P’s Z coordinate might stem from a 
poor software implementation that does not erase the Z coordinate of P from 
the computer’s memory or caused by a computationally-constrained secure token 
that sub-contracts the affine conversion of P to the external world. 

We show that information may leaks-out and analyse the leakage in two 
different settings: Diffie-Hellman key exchange and Schnorr signatures. 

Moreover, our paper seems to indicate that point representation matters: The 
generic group model is often used to model elliptic curve protocols, see [2], [10], 
[11]. In this model one assumes that the representation of the group elements 
gives no benefit to an adversary. This approach allows cryptographic schemes 
built from elliptic curves to be supported by some form of provable security. 
However, it has some pitfalls. In [11], it was shown that using encodings which do 
not adequately distinguish an elliptic curve from its opposite, as done in ECDSA, 
open the way to potential flaws in the security proofs. In this paper we show that 
using projective coordinates to represent elliptic curve points rather than affine 
coordinates may leak some information to an attacker. Thus, we can conclude 
that modelling elliptic curves as generic groups is not appropriate in this case, 
so that the generic model methodology only applies under the assumption that 
affine points are made available to an external viewer /adversary of the protocol. 

We note that our results imply that projective coordinates should be used 
with care when they could be made available to an adversary. Our results do 
not however imply that using projective coordinates for internal calculations has 
any security implications. 

2 Elliptic Curve Addition Formulae 

In the following, we will restrict our attention to elliptic curves over fields of 
large prime characteristic. We will also focus on projective coordinates of the 
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second kind (the situation being quite similar mutatis mutandis, in the other 
cases). 

In our prime field case, the reduced equation of the curve C is: 

+ ax + b mod p 

Jacobian projective coordinates yield the equation: 

= X^ + aXZ^ + mod p 



Projective coordinates allow a smooth representation of the infinity point O on 
the curve: (0,1,0) in the first system, (1,1,0) in the other. They also provide 
division- free formulae for addition and doubling. 

Standard (affine) addition of two distinct elliptic curve points, (xo,yo) and 
(xi,yi) yields (x 2 ,y 2 ), with: 



X2 



/ m - Vo 
Va:i - xo 



2 



-Xo-Xi 



Note that x\ — xq equals: 

Xo W 

(ZoZi)2 

where W is XiZq — XoZf. From this it readily follows, that (WZqZi)^X 2 is a 
polynomial in Xo,Yo,Zq,Xi,Yi,Zi, since the further factors coming from Zq 
and Zi cancel the denominators for xg and xi. 

The affine coordinate 2/2 is given by: 



2/2 = -2/0 + (— —) (xo - X 2 ) 

\xi - Xo J 

Expanding in projective coordinates yields a denominator equal to 

Thus, {WZoZi)^y 2 is a polynomial in Xq,Yo, Zg, Xi, Zi. Finally, we see that 

setting: 

Z 2 = IF ZgZ\ 

we can obtain division- free formulae. Such formulae are given in [4] and [1], and 
we simply reproduce them here: 



Uo^ 


- XoZl 


^ 0 ^ 


- YoZl 


Ui < 


- XiZl 


Si ^ 


- YiZl 


IF ^ 


-Uo-Ui, 


i? V- 


-So -Si, 


T ^ 


- Ug -f- Ui, 


M V- 


-Sg + Si, 


Z 2 <- 


- IF^o^i, 




^ R^- TW"^, 


V ^ 


- TW^ - 2 X 2 , 


2 F 2 < 


-VR- MW^ 



There is a similar analysis for doubling; again, we simply provide the correspond- 
ing formulae: 

M ^iXl + aZf, Z2^2YiZi, S^4:XiY^, 

X2^ -2S, T^8Y^, Y2^ M{S-X2)-T. 
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3 The Attack 

Throughout this section we let G be an element of prime order r on an elliptic 
curve C over a prime field, given by its regular coordinates (xc^yc)- Let k be 
a secret scalar and define P = [k]G. Let (X,Y,Z) be Jacobian projective co- 
ordinates for P, computed by the formulae introduced in Section 2, when the 
standard double-and-add algorithm is used. 



3.1 Grabbing a Few Bits of k 

Let t be a small integer and guess the last t bits of k. Once this is done, it is 
possible to compute a set of candidates for the coordinates of the sequence of 
intermediate values handled by the double-and-add algorithm while processing 
k’s t trailing bits (appearing at the end of the algorithm). This is achieved 
by ‘reversing’ computations: reversing doubling is halving, i.e. by reversing the 
formulae for doubling ; reversing an addition amounts to subtracting G. Thus, 
we obtain a set of sequences, 

{si, S2, . . . , Sm} where sj = 

of intermediate points, with = P. Let Mi = (xi,yi) in affine coordinates. 
The corresponding projective coordinates which occur we denote by (Jfj, 1^, Zi). 
There are two cases: 



— When the step Mj — + Mi+i is an addition, we have 



Zj+i = {Xi - XGZf)Z^ which yields 



{Xi - xg) 



Here, we need to compute a cubic root to get Zi from . This is impossible 
in some cases when p = 1 mod 3, and when possible, it leads to one of 
three possible Zi values. When p = 2 mod 3 taking the cubic root is always 
possible and leads to a unique value of Zi. In either case once a set of possible 
values of Zi are determined from Zi+i we can obtain Xi and Yi. 

— When the step Mj — ■» is a doubling, we have 



Zj_|_i = 2YiZi which yields 




2y* 



Here, we need to compute a fourth root to get Zi from Zi+\, which is impos- 
sible in some cases. Assume for example that p = 3 mod 4. Then extracting 
a fourth root is possible for one half of the inputs and, when possible, yields 
two values. When p = 1 mod 4 then this is possible in around one quarter 
of all cases and yields four values. 



We can now take advantage of the above observation to learn a few bits of k. 

More precisely, we observe that, with probability at least 1/2, one can spot 
values of k for which the least significant trailing bit is one. Suppose we consider 
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such a k and make the wrong guess that the last bit is zero. This means that 
the final operation Mi is a doubling. The error can be spotted when 

the value 

Zi 

2yt-i 

is not a fourth power, which happens with probability at most 1/2. We can then 
iterate this to (potentially) obtain a few further bits oik. In the case of the least 
significant bit being zero a similar analysis can be performed. 

3.2 Applicability to Different Coordinate Systems 

Consider Jacobian projective coordinates: 

(X,Y) ^ {X‘^X,X^Y,XZ), 

over a field Fg of characteristic q > 3. For a point P = (x,y) G C(Fg) let Sp 
denote the set of all equivalent projective representations 

Sp = {{X^x,X^y,X):XG¥;}. 

The standard addition formulae for computing P + Q, for a fixed value of Q 
(by fixed we mean a fixed projective representation of Q, including an affine 
representation of Q) gives a map 

^P,P+Q ■ Sp > Sp+Q. 

The doubling formulae for Jacobian projective coordinates also gives us a map 

'1'P,[2]P ■ Sp > 5[2]p. 

The crucial observations from the previous subsection are summarized in the 
following Lemma 

Lemma 1. The following holds, for Jacobian projective coordinates in large 
prime characteristics: 

If q = 1 mod 3 then Tp ppQ is a 3 1 map. 

If q = 2 mod 3 then Tp ppQ is a 1 1 map. 

If q = 1 mod 4 then p]p is a 4 1 map. 

If q = 3 mod 4 then >Fp pjp is a 2 1 map. 

Note: It is easy given an element in the image of either Pp^p+q or >Fp pjp to 
determine whether it has pre-images, and if so to compute all of them. 

The attack is then simply to consider when a point could have arisen from 
an application of Pp^p+Q or >Fp [ 2 ]p and if so to compute all the pre-images and 
then recurse. The precise tests one applies at different points will depend on the 
precise exponentiation algorithm implemented by the attacked device, a subject 
we shall return to in a moment. 
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For the sake of completeness we present in the following lemmata similar 
results for other characteristics and other forms of projective representation. We 
concentrate on the most common and the most used coordinate systems and 
keep the same conventions and notation as above: 



Lemma 2. The following holds, for classical projective coordinates on elliptic 
curves over fields of large prime characteristic: 



If q = 1 mod 4 
If q = 3 mod 4 
If q = 1 mod 3 
If q = 2 mod 3 



then Tp^p+Q 
then Tp^p+Q 
then >Fp[ 2 ]p 
then >Fp[ 2 ]p 



is a 4 1 map. 
is a 2 1 map. 
is a 6 1 map. 
is a 2 1 map. 



Lemma 3. The following holds, for Jacobian projective coordinates on elliptic 
curves over fields of characteristic two: 



If q = 1 mod 3 then 
If q = 2 mod 3 then 
\/q 



Tp ppQ zs a 3 1 map. 

Tp ppQ zs a 1 1 map. 

l^p,[ 2 ]p zs a 1 1 map. 



Lemma 4. The following holds, for Lopez-Dahab projective coordinates [6] on 
elliptic curves over fields of characteristic two: 

If q = 1 mod 3 then iFp pjp zs a 3 1 map. 

If q = 2 mod 3 then iFp pjp zs a 1 1 map. 

\/q Tp ppQ is a 1 1 map. 

4 Application: Breaking Projective Schnorr Signatures 

Assume now that one wishes to use the protocol described in Figure 1, mim- 
icking Schnorr’s basic construction [12]. The algorithm is a natural division-free 
version of Schnorr’s original scheme, and might hence appear both safe and 
computationally attractive. 

It should be stressed that while we are not aware of any suggestion to use 
this variant in practice it is still not evident, at a first glance, why this algorithm 
could be insecure. 

We show how to attack this scheme using the observations from the previ- 
ous subsection. This is based on recent work by Howgrave-Graham, Smart [3], 
Nguyen and Shparlinski [7]. 

From a sample of N signatures, the attacker obtains around ^ signatures 
for which he knows that the t low order bits of the hidden nonce k are ones. 
Next, for each such k, he considers the relation: 



d + xH{m, Px, Py, Pz) = k mod r 
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PARAMETERS AND KEYS 
An elliptic-curve C 
G Sfl C of order r 

A collision-resistant hash-function H : {0, 1}* — > Z* 

Private x GrZ* 

Public Q ^ [a;]G 

SIGNATURE GENERATION 
Pick k GrIj* 

Compute {Px,Py,Pz) ^ [k]G = DoubleAdd(/c, G) 
d ^ k — X X H{m, Px, Py, Pz) mod r 

If d = 0 or H{m, Px,Py, Pz) = 0 resume signature generation 
Output {Px,Py,Pz,d} as the signature of m 
SIGNATURE VERIFIGATION 
P^[d]G+[H{m,Px,PY,Pz)]Q 
If P 7 ^ Affine (( Px, Py, Pz)) or d ^ Z* output invalid 
else output valid 

Fig. 1. Division-Free Projective Schnorr Signatures 



Using the information he has, the attacker rewrites the above as: 

d — (2* — 1) -I- xH{m, Px, Py, Pz) = fc — (2* — 1) mod r 
Dividing by 2*, he gets a final relation: 

a + bx = u mod r 

where a, b are known but x is unknown as well as u. Still the attacker knows 
that u is small (< ^). When the attacker has n « ^ such relations, he writes 

a -|- hx = u mod r 

and considers the lattice L = (b)^, consisting of all integer vectors orthogonal to 
b and applies lattice reduction. Let A be an element of L with small Euclidean 
norm. We have: 

A(a) = A(u) mod r 

Now, the norm of the right-hand side is bounded by ||A||||u||, which is < 
||A||^V^- The order of ||A|| is r~ and, for n large enough and t not too small, 
this estimate provides a bound for the right-hand side < r/2. Thus, the modular 
equations are actual equations over the integers: 



A(a) mod r = A(u) 
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PARAMETERS 
Input k € Z*, G G C 
Output P ^ [k]G 

ALGORITHM DoubleAdd(fc, G) 
P^O 

for j = ^ — 1 downto 0: 

P^ [2]P 

if kj = 1 then P ^ P + G 
return (P) 

Fig. 2. Double-and-Add Exponentiation 



The attacker can hope for at most n — 1 such relations, since L has dimension 
n — 1. This defines u up to the addition of an element from a one-dimensional 
lattice. The correct value is presumably the element in this set closest to the 
origin. Once u has been found, the value of x follows. 

Lattice reduction experiments reported in [7] show that, with elliptic curves 
of standard dimensions, the attack will succeed as soon as t reaches 5 digits. The 
deep analysis of Nguyen and Shparlinski, shows that the significant theoretical 
bound is related to y/logr. 



5 Practical Experiments 

The double- and- add exponentiation’s case is the simplest to analyse: given the 
projective representation of the result P, we can try and ‘unwind’ the algorithm 
with respect to the fixed point G. 

In other words, we can check whether there is a value P' such that 



'^'p',p'+g{P') = P 



and if so compute all the pre-images P' . Then for all pre-images P' we can check 
whether this was the result of a point doubling. We also need to check whether 
P itself was the output of a point doubling. This results in a backtracking style 
algorithm which investigates all possible execution paths through the algorithm. 

There are two factors at work here. For each testing of whether <Fp p+a (resp. 
if'p [ 2 ]p) was applied we have a representation-dependent probability of p (from 
the above lemmata), this acts in the attacker’s favour. However, each success 
for this test yields 1/p pre-images, which increases the attacker’s workload. The 
result is that, while practical, the attack against the double- and- add algorithm 
is not as efficient as one might initially hope. 
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We ran one thousand experiments in each prime characteristic modulo 12. 
Table 1 presents the success of determining the parity of the secret exponent. 
One should interpret the entries in the table as follows: For example with q = 5 
(mod 12), we found that in 71 percent of all cases in which k was even we where 
able to determine this using the above backtracking algorithm. This means that 
in these cases the execution path which started with assuming P was the output 
of a point addition was eventually determined to be invalid. 



Table 1. Probability of Determining the Secret’s Parity Using Double-and-Add 
Exponentiation 



q mod 12 


1 


5 


7 


11 


Pr[parity determined! fc even] 


0.98 


0.71 


0.80 


0.50 


Pr[parity determined] A: odd] 


0.95 


0.74 


0.50 


0.47 


Pr [parity determined] 


0.96 


0.72 


0.65 


0.48 



Only in the cases <7=1 mod 12 and q = 7 mod 12 did we have any success 
in determining the value of the secret exponent modulo 8 precisely (around 
50 percent of the time when <7=1 mod 12 and 8 percent of the time when 
<7 = 7 mod 12). 

We did a similar experiment using the signed sliding window method, with 
a window width of 5 (see also Algorithm IV. 7 of [1]) assuming that the pre- 
computed table of multiples of the base point is known to the attacker. In this 
case we had a much lower probability of determining the parity, but could still 
determine the value of the exponent modulo 32 in a significant number of cases 
(Table 2). 



Table 2. Probability of Determining the Secret’s Parity Using Signed Sliding 
Window Exponentiation 



q mod 12 


1 


5 


7 


11 


Pr[parity determined] A: even] 


0.86 


0.00 


0.05 


0.00 


Prjparity determined] A; odd] 


0.81 


0.75 


0.49 


0.53 


Pr [parity determined] 


0.81 


0.37 


0.27 


0.26 


Pr]A: mod 32 determined] 


0.42 


0.01 


0.01 


0.00 



Note that this means that if g = 1 mod 12 then we will be successful in de- 
termining the full private key for the division free signature algorithm of Section 
4 using lattice reduction. 
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PARAMETERS 

Input k G Z*, G GC 

Output P ^ [k]G 

PRECOMPUTATION 

Gi^G 
G 2 ^ [2]G 

for j = 1 to 2'-2 - 1: 

G2J+1 <— G2J-1 + G2 

P <— Gkf-i 

EXPONENT ENCODING 

set k = X]i=o 

with Ci+i — Ci > r and ki € {±1, ±3, . . . , ±2’’“^ — 1} 
ALGORITHM SlidingWindow(fc, G) 
for j =1—2 downto 0: 

if > 0 then P ^ P + Gkj else P^ P + G-kj 
P‘=[2^o]P 
return(P) 

Fig. 3. Signed Sliding Window Exponentiation 



6 Thwarting the Attack 

There is a simple trick that avoids the attacks described in the previous sec- 
tions. It consists in randomly replacing the output (AT, Y, Z) of the computation 
by [X,eY,eZ), with e = ±1. This makes it impossible for an attacker to spot 
projective coordinates, which cannot be obtained by squaring. It should be un- 
derlined that this countermeasure (that we regard as a challenge for the research 
community) thwarts our specific attack but does not lend itself to a formal se- 
curity proof. Note, such a defence only appears to need to be done at the end of 
the computation as our attack model assume the attacker does not obtain any 
intermediate points from the multiplication algorithm. 

A more drastic method replaces (X,Y,Z) by {X‘^x, X^y, X), where A is ran- 
domly chosen among the non zero elements of the base field (with ordinary 
projective coordinates, one uses (Ax, Ay, A)). This method provides a randomly 
chosen set of projective coordinates for the result and, therefore, cannot leak 
additional information. 

With this new protection, the division-free signature scheme of Section 4 can 
be shown to be secure in the random oracle model, against adaptive attackers 
trying to achieve existential forgery. We outline the proof. As usual (see [9]), one 
uses the attacker to solve the discrete logarithm problem (here, on C). The public 
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key of the scheme is set to Q, the curve element for which we want to compute 
the discrete logarithm in base G. Signature queries are answered by randomly 
creating P = [d]G + [h]Q, picking random projective coordinates for P, say 
(X, y, Z) and setting the hash value of {m, X, Y, Z} as any element = h mod r. 
Thus fed, the attacker should create a forged message signature pair, with sig- 
nificant probability. We let m be the corresponding message and {X, Y, Z, d} 
be the signature. With significant probability, {m, X,Y, Z} is queried from the 
random oracle. Replaying the attack with a different answer modulo r to this 
question, one gets, with significant probability, another forgery {m, X,Y, Z, d'}, 
with h replaced by h' . From the relation 

[d\G+[h]Q=[d']G+[h']Q 
one finally derives the discrete logarithm of Q. 
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Abstract. This paper provides either security proofs or attacks for a large num- 
ber of identity-based identification and signature schemes defined either explic- 
itly or implicitly in existing literature. Underlying these are a framework that on 
the one hand helps explain how these schemes are derived, and on the other hand 
enables modular security analyses, thereby helping to understand, simplify and 
unify previous work. 



1 Introduction 

Current state of the area. The late eighties and early nineties saw the proposal 
of many identity-based identification (IBI) and identity-based signature (IBS) schemes. 
These include the Fiat-Shamir IBI and IBS schemes [11], the Guillou-Quisquater IBI 
and IBS schemes [16], the IBS scheme in Shamir’s paper [29] introducing identity- 
based cryptography, and others [21, 13, 6]. Now, new, pairing-based IBS schemes are 
being proposed [26, 17, 23, 8, 32]. 

Prompted by the renewed interest in identity-based cryptography that has followed 
identity-based encryption (IBE) [7], we decided to revisit the IBI and IBS areas. An 
examination of past work revealed the following. 

Although there is a lot of work on proving security in the identihcation domain, it 
pertains to standard rather than identity-based schemes. (For example, security proofs 
have been provided for standard identihcation schemes related to the Fiat-Shamir and 
Guillou-Quisquater IBI schemes [10, 4], but not for the IBI schemes themselves.) In 
fact, a provable- security treatment of IBI schemes is entirely lacking: there are no secu- 
rity dehnitions, and none of the existing schemes is proven secure. Given the practical 
importance and usage of IBI schemes, this is an important (and somewhat surprising) 

gap- 
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The situation for IBS is somewhat better. Cha and Cheon provide a definition of 
security for IBS schemes and prove their scheme secure [8]. Dodis, Katz, Xu, and Yung 
[9] define a class of sfandard signature (SS) schemes that they call trapdoor, and then 
present a random-oracle-using transform (let us call it tSS-2-IBS) that turns any secure 
trapdoor SS (tSS) scheme into a secure IBS scheme. Security proofs for several existing 
IBS schemes, including those of [1 1, 16], are obtained by observing that these are the 
result of applying tSS-2-IBS to underlying tSS schemes already proven secure in the 
literature [24, 20, 1]. However, as we will see, there are several IBS schemes not yet 
proven secure (one example is Shamir’s IBS scheme [29]), either because they are not 
the result of applying tSS-2-IBS to a tSS scheme, or because, although they are, the tSS 
scheme in question has not yet been analyzed. 

The goal of this paper is to fill the above-mentioned gaps in the IBl and IBS areas. 

Preliminaries. The first step, naturally, is definitions. We extend to the IBI setting 
the three notions of security for standard identification (SI) schemes, namely security 
against impersonation under passive attacks (imp-pa), active attacks (imp-aa) [10], and 
concurrent attacks (imp-ca) [4]. Our model allows the adversary to expose user (prover) 
keys, and to mount either passive, active, or concurrent attacks on the provers, winning 
if it succeeds in impersonating a prover of its choice. We remark that although existing 
security definitions for other identity-based primitives [7, 8, 9] give us some guidance 
as to what adversary capabilities to consider, there are some issues in the definition for 
IBI that need thought, mainly related to what capabilities the adversary gets in what 
stage of its two-stage attack. See Section 2. 

The security notion for SS schemes is the standard unforgeability under chosen- 
message attack (uf-cma) [15]. An appropriate extension of it for IBS schemes exists 
[8, 9] and we refer to it also as uf-cma. These definitions are recalled in the full version 
of the paper [2] . 

Certification-based IBI and IBS. Before executing the main task of analyzing 
practical IBI and IBS schemes, we pause to consider the following natural design of an 
IBI scheme, based on any given SI scheme, via the certification paradigm. The authority 
picks a public and secret key pair (pk, sk) for a SI scheme, and provides these to prover 
/ along with a certificate cert consisting of the authority’s signature on I,pk. The 
prover can now flow pk, cert to the verifier and then identify itself via the SI scheme 
under pk. The verifier needs to know only I and the public key of the authority in order 
to authenticate the prover. 

In [2], we prove that the above yields a secure IBI scheme. An analogous result 
holds in the IBS case. We believe that this is worth noting because it highlights the fact 
that, unlike IBE [7], IBI and IBS are trivial to achieve (and in particular do not require 
random-oracles), and enables us to better understand what the practical schemes are 
trying to do, namely to beat the trivial certification-based schemes in performance. 

Main contributions and approach. This paper delivers security proofs for a 
large number of practical IBI and IBS schemes, including not only the ones mentioned 
above, but many more that we surface as having been, with hindsight, implicit in the 
literature. 
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Fig. 1. Family of schemes associated to a cSI scheme Name-SI. If Name-SI is imp-atk 
secure then Name-IBI is also imp-atk secure, for all atk G {pa, aa, ca}. If Name-SI is 
imp-pa secure then Name-IBS is uf-cma secure. Implicit in drawing the diagram this 
way is that fs-l-2-S(cSI-2-IBI(Name-SI)) = cSS-2-IBS(fs-l-2-S(Name-SI)). 



We do this in two steps. In the first step, we provide a framework that (in most cases) 
reduces proving security of IBI or IBS schemes to proving security of an underlying SI 
scheme. In a few cases, we found that the SI schemes in question were already analyzed 
in the literature, but in many cases they were not. The second step, where lies the main 
technical work of the paper, is to provide security proofs for those SI schemes not 
already proven secure, and then provide direct security proofs for the few exceptional 
IBI or IBS schemes that escape being captured by our framework. 

The framework, we believe, is of value beyond its ability to reduce proving secu- 
rity of IBI and IBS schemes to proving security of SI schemes. It helps understand 
how schemes are being derived, and in the process surfaces the implicit schemes we 
mentioned above. Overall, the framework contributes to simplifying and unifying our 
picture of the area. We now explain the framework, which is based on a set of trans- 
forms, and then summarize the results for specific schemes. 

The transforms. We introduce (cf. Definition 2) a class of SI schemes that we call 
convertible. The idea is that their key-generation process be underlain by a primitive 
called a trapdoor samplable relation that we introduce in Definition 1 . We then present a 
random-oracle-using transform cSI-2-IBI that transforms a convertible SI (cSI) scheme 
into an IBI scheme (cf. Construction 1). Theorem 1 shows that cSI-2-IBI is security- 
preserving, meaning that if the starting cSI scheme is imp-atk secure then so is the 
resulting IBI scheme (in the random oracle model), for each atk G {pa, aa, ca}. This 
will be our main tool for proving security of IBI schemes. 

It is useful to analogously define convertible standard signature (cSS) schemes and 
a transform cSS-2-IBS that turns a uf-cma secure cSS scheme into a uf-cma secure IBS 
scheme. These extend [9] in the sense that any tSS scheme is also a cSS scheme, and 
cSS-2-IBS coincides with tSS-2-IBS when the starting scheme is a tSS scheme, but the 
class of cSS schemes is larger than the class of tSS schemes. 

Now let fs-l-2-S denote the (random-oracle using) Fiat-Shamir transform [11] which 
turns a SI scheme into a SS scheme. We know that if the former is imp-pa secure then 
the latter is uf-cma secure [1]. (Application of the transform and this last result requires 
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that the starting SI scheme he a three-move puhlic-coin protocol satisfying a certain 
technical condition, hut all this will always he true for the applications we consider.) 

Putting the above together yields Corollary 1, which says that, as long as a cSI 
scheme X is imp-pa secure, the IBS scheme cSS-2-IBS(fs-l-2-S(2f)) is uf-cma secure. 
This will be our main tool for proving security of IBS schemes. 

We note that fs-l-2-S also transforms a given IBI scheme into an IBS scheme. Fur- 
thermore, cSS-2-IBS(fs-l-2-S(2f)) = fs-l-2-S(cSI-2-IBI(2f)) for any cSI scheme X. In 
other words, the diagram of Figure 1 “commutes.” 

As an aside, we remark that the analogue of the result of [1] does not hold for 
fs-l-2-S as a transform of IBI schemes to IBS schemes: Proposition 1 shows that there 
exists an imp-pa secure IBI scheme Y which under fs-l-2-S yields an insecure IBS 
scheme. This does not contradict the above since this Y is not the result of cSI-2-IBI 
applied to a cSI scheme, but it makes things more difficult in a few exception cases (that 
we will see later) in which we need to consider an IBS scheme Z = fs-l-2-S(F) where 
Y is an IBI scheme that is not equal to cSI-2-IBI(A) for any cSI scheme X. See the end 
of Section 3 for more information. 

Scheme families. We seek to explain any IBI scheme Y in the literature by surfacing 
a cSI scheme X such that cSI-2-IBI(A) = Y. We seek to explain any IBS scheme Z in 
the literature by surfacing a cSI scheme X such that cSS-2-IBS(fs-l-2-S(2f)) = Z. We 
are able to do this for the schemes in [1 1, 16, 29, 13, 17, 8, 32, 6] and for the RSA-based 
IBI scheme in [21], which, by Theorem 1 and Corollary 1, reduces the task of showing 
that Y, Z are secure to showing that X is secure in these cases. 

We remark that the above gives rise to numerous schemes that are “new” in the 
sense that they were not provided explicitly in the literature. For example, Shamir [29] 
defined an IBS scheme but no IBI scheme. (He even says providing an IBI scheme is an 
open question.) Denoting Shamir’s IBS scheme by Sh-IBS, we surface the cSI scheme 
Sh-SI such that cSS-2-IBS(fs-l-2-S(Sh-SI)) = fs-l-2-S(cSI-2-IBI(Sh-SI)) = Sh-IBS. 
As a consequence, we surface the IBI scheme Sh-IBI = cSI-2-IBI (Sh-SI) that is related 
in a natural way to Sh-IBS, namely by the fact that fs-l-2-S(Sh-IBI) = Sh-IBS. In 
an analogous way we surface IBI schemes Hs-IBI and ChCh-IBI underlying the IBS 
schemes of [17] and [8, 32], respectively. 

Beside explaining existing IBI or IBS schemes, we are able to derive some new 
ones. We found papers in the literature [19, 22, 12] not defining IBI or IBS schemes, 
but defining SI schemes that we can show are convertible. Our transforms then yield 
new IBI and IBS schemes that we analyze. 

We feel that this systematic surfacing of implicit schemes helps to homogenize, 
unify, and simplify the area. Figure 1 summarizes the perspective that emerges. We 
view schemes as occurring in families. Each family has a family name Name. At the 
core of the family is a cSI scheme Name-SI. The other schemes are related to it via 
Name-IBI = cSI-2-IBI(Name-SI), Name-SS = fs-l-2-S(Name-SI), and Name-IBS = 
cSS-2-IBS(Name-SS). If Name-SI is secure, so are all other schemes in the family. 

Results for specific schemes. In order to complete the task of obtaining security 
proofs for the existing and new IBI and IBS schemes we have discussed, it remains 
to analyze the cSI schemes underlying the families in question. This turns out to be a 
large task, for although in a few cases the cSI scheme is one already analyzed in the 
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Fig. 2. Summary of security results. Column 1 is the family name of a family of 
schemes. Column 2 indicates which of the four member-schemes of the family existed 
in the literature. (The others we surface.) In the security columns, a known result is indi- 
cated via a reference to the paper establishing it. The marks I, P, and A all indicate new 
results obtained in this paper. An I indicates a proof of security obtained by implication. 
(If under Name-IBI it means we obtain it via Theorem I, if under Name-IBS it means 
we obtain it either via Corollary 1 or via our modified fs-l-2-S transform, if elsewhere it 
means it follows easily from, or is an easy extension of, existing work.) A P indicates a 
new security proof, such as a from-scratch analysis of some SI or IBI scheme. An A in- 
dicates an attack that we have found. A U indicates that the security status is unknown. 
In all but the last two rows, the SI scheme is convertible. The first set of schemes are 
factoring based, the next RSA based, the next pairing based, and the last DL based. For 
each of the schemes above except for the last two, Name-IBS is obtained through the 
fs-l-2-S transform. OkDL-IBS and BNN-IBS are obtained through a modified version 
of the fs-l-2-S transform. 



literature, we found (perhaps surprisingly) that in many cases it is not. Additionally, we 
need to directly analyze two IBI schemes not underlain by cSI schemes, namely the 
DL-based scheme in [21], and a somewhat more efficient Schnorr-based [27] variant 
that we introduce. 

A summary of our results is in Figure 2. Section 4 and the full version of the pa- 
per [2] provide scheme descriptions and more precise result statements. Note all secu- 
rity proofs for SS, IBI, and IBS schemes are in the random-oracle (RO) model of [5]. 
Proofs are in [2]. Here, we highlight some of the important elements of these results. 

Cases captured by our framework. Section 4 begins by surfacing SI schemes 
underlying the first 12 (i.e. all but the last two) families of Figure 2 and shows that they 
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are convertible, so that the picture of Figure 1 holds in all these cases and we need only 
consider security of the cSI schemes. The analysis of these schemes follows. 

Easy cases are FS, ItR (the iterated-root, also called 2‘-th root, family), FF, GQ, and 
OkRSA (an RSA-based family from [21]) where the SI schemes are already present and 
analyzed in the literature [10, 28, 12, 4, 21]. 

The Sh-SI scheme turns out to be a mirror-image of GQ-SI, and is interesting 
technically because we show that it is honest-verifier zero-knowledge (HVZK) even 
though it might not at first appear to be so. Based on this, we prove that it is imp-pa 
(cf. Theorem 3), but simple attacks show that imp-aa and imp-ca do not hold. A slight 
modification Sh*-SI of this scheme however is not only imp-pa but also proven imp-aa 
and imp-ca secure under the one-more-RSA assumption of [3] (cf. Theorem 4), so that 
its security is like that of GQ-SI [4]. 

An attack and a fix for Girault’s IBI scheme [13] were proposed in [25], but we find 
attacks on the fixed scheme as well, breaking all schemes in the family. 

We prove imp-pa security of the pairing-based SOK-SI, Hs-SI and ChCh-SI 
schemes under a computational DH assumption and imp-aa, imp-ca security under a 
one-more computational DH assumption (cf. Theorems 5 and 6). We remark that the 
SOK-IBS scheme defined via our transforms is not the one of [26], but is slightly differ- 
ent. This suggests the value of our framework, for it is unclear whether the IBS scheme 
of [26] can be proved uf-cma secure, whereas Corollary 1 implies that SOK-IBS is 
uf-cma secure. 

Since the discrete-log function has no known trapdoor it is not an obvious starting 
point for IBI schemes, but some do exist. Beth’s (unproven) IBI scheme [6] is based on 
ElGamal signatures. The proof of convertibility of the Beth-SI scheme we surface is in- 
teresting in that it exploits the existential forgeability of ElGamal signatures. Theorem 7 
says that Beth-SI is imp-pa secure if the hashed-message ElGamal signature scheme is 
universally unforgeable under no-message attack in the random-oracle model. 

Exceptions . The last two rows of Eigure 2 represent cases where our framework does 
not apply and direct analyses are needed. The first such case is an unproven DL-based 
IBI scheme OkDL-IBI due to Okamoto [21], which introduces an interesting SS-based 
method for constructing IBI schemes and instantiates it with his own DL-based SS 
scheme. We were unable to surface any cSl scheme which under cSI-2-IBI maps to 
OkDL-IBI. (OkDL-IBI can be “dropped” in a natural way to a SI scheme OkDL-SI, but 
the latter does not appear to be convertible.) However, we show in [2] that OkDL-IBI 
is nevertheless imp-pa, imp-aa, and imp-ca secure assuming hardness of the DL prob- 
lem. This direct proof is probably the most technical in the paper and uses the security 
of Okamoto’s DL-based SS scheme under a weakened notion of non-malleability [31], 
which is established via an extension of the result of [1] combined with results from 
[21]. We also present a new IBI scheme BNN-IBI that is based on the paradigm under- 
lying OkDL-IBI but uses Schnorr signatures [27] instead of Okamoto signatures. It is 
slightly more efficient than OkDL-IBI. Security results are analogous to those above. 
See [2] for descriptions of the schemes and our results. 

Proposition 1 precludes proving security of the IBS schemes fs-l-2-S(OkDL-IBI) 
and fs-l-2-S(BNN-IBI) based merely on the security properties of the IBI schemes. 
However, we slightly modify the classical fs-l-2-S transform and obtain a transform 
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that yields a secure uf-cma IBS scheme when applied to an imp-pa IBI scheme. We can 
then apply this transform to OkDL-IBI or BNN-IBI to obtain uf-cma IBS schemes. 

Related work. Independent of our work, Kurosawa and Heng [18] recently pre- 
sented a transform from a certain class of “zero-knowledge” SS schemes to IBI 
schemes. However, the IBl scheme resulting from their transform is only shown to 
be secure against impersonation under passive attacks. 

2 Security Notions for Identification Schemes 

Notation. We let N = {1,2,3,...} denote the set of natural numbers. If /c G N, then 
is the string of k ones. The empty string is denoted e. If x,y are strings, then |a;| 
is the length of x and x\\y is the concatenation of x and y. If S' is a set, then |S| is its 
cardinality. If H is a randomized algorithm, then H(a:i, X2, ■ • ■ : Oi, O2, . . •) means 
that A has inputs xi, X2, ■ • • and access to oracles Oi, O2, . . ., and y A{x\,X2, ■ ■ ■ '■ 
Oi, O2, ■ . .) means that the output of H’s run is assigned to y. We denote the set of all 
possible outputs by X2, ... : Oi, O2, . . .)], the running time of A by T.4, and 

the number of times A queried the Oi oracle by We define = X)i Q a* • 

An interactive algorithm (modelling a party such as prover or verifier in a protocol) 
is a stateful algorithm that on input an incoming message Mi„ (this is £ if the party is 
initiating the protocol) and state information St outputs an outgoing message Mout and 
updated state St^ For an interactive algorithm A that has access to oracles Oi, O2, • . ., 
this is written as {Mout, St^) A{Min, St : Oi, O2, . . .). The initial state of A con- 
tains its inputs and optionally a random tape p\ if no random tape is explicitly given in 
the initial state, A is assumed to toss its own coins. 

Standard identification schemes. A standard identification (SI) scheme is a tu- 
ple SI = (Kg, P, V) where Kg is the randomized polynomial-time key generation al- 
gorithm, and P and V are polynomial-time interactive algorithms called the prover and 
verifier algorithms, respectively. In an initialization step, the prover runs Kg(l^), where 
/c is a security parameter, to obtain a key pair {pk,sk), and publishes the public key 
pk while keeping the secret key sk private. In the interactive identification protocol, the 
prover runs P with initial state sk, and the verifier runs V with initial state pk. The first 
and last messages of the protocol belong to the prover. The protocol ends when V enters 
either the acc or rej state. We require that for all fc G N and for all {pk, sk) G [Kg(l^)], 
the result of the interaction between P (initialized with sk) and V (initialized with pk) 
is acc with probability one. 

Security oe SI schemes. An adversary A is a pair of algorithms {CV, CP) called 
the cheating verifier and the cheating prover [10]. We briefly recall the notions of imp- 
pa, imp-aa [10], and imp-ca [4]. The experiment first chooses keys {pk, sk) via Kg(l^) 
and then runs CV on pk. For a passive attack (pa), CV gets a conversation oracle, 
which, upon a query, returns a transcript of the conversation between P (with initial 
state sk) and V (with initial state pk), each time generated under fresh coins for both 
parties. For an active attack (aa) or concurrent attack (ca), CV gets a prover oracle 
PROV. Upon a query {M, s) where M is a message and s is a session number, the 
PROV oracle runs the prover algorithm using M as an incoming message and returns 
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the prover’s outgoing message while maintaining the prover’s state associated with the 
session s across the invocations. (For each new session, prov uses fresh random coins 
to start the prover, initializing it with sk.) The difference between active and concurrent 
attacks is that the former allows only a single prover to be active at a time. Eventually, 
CV halts with some output that is given to CP, and A wins if the interaction between 
CP and V (initialized with pk) leads the latter to accept. For atk G {pa, aa, ca}, the 
imp-atk advantage of A in attacking SI is written as and is defined to 

be the probability of A winning in the above experiment. We say that SI is an imp-alk- 
secure SI scheme if is negligible for every polynomial-time A. 

Identity-based identification schemes. An identity-based identification (IBI) 
scheme is a four-tuple IBI = (MKg, UKg, P, V) of polynomial-time algorithms. The 
trusted, key-issuing authority runs the master-key generation algorithm MKg on in- 
put 1^, where fc is a security parameter, to obtain a master public and secret key pair 
(mpk, msk). It can then run the user-key generation algorithm UKg on msk and the 
identity I G {0, 1}* of a user to generate for this user a secret key usk which is then 
assumed to be securely communicated to the user in question. In the interactive iden- 
tification protocol, the prover with identity I runs interactive algorithm P with initial 
state usk, and the verifier runs V with initial state mpk, I. The first and last messages 
of the protocol belong to the prover. The protocol ends when V enters either the acc 
or rej state. In the random oracle model, UKg, P, V additionally have oracle access 
to a function H whose range may depend on mpk. We require that for all k G N, 
I G {0,1}*, (mpk, msk) G [MKg(l^)], functions H with appropriate domain and 
range, and usk G [UKg(msk, / : H)], the interaction between P (initialized with usk) 
and V (initialized with mpk, I) is acc with probability one. 

Security of IBI schemes. The security definition for IBI schemes is similar to that 
of SI schemes. We highlight only the differences here. An adversary A is a pair of a 
cheating verifier CV and a cheating prover CP. It is given a conversation oracle for 
passive attacks or a prover oracle for active and concurrent attacks as before except that 
here it can ask for transcripts or for interactions with respect to identities of its choice. 
For all three types of attacks, it is additionally given access to an initialization oracle 
and a corrupt oracle with which it can initialize and corrupt an identity, respectively. 
The former causes the new identity to receive a newly generated user secret key while 
the latter exposes the identity’s user secret key to A then marks the identity as cor- 
rupted. As before, CV is run first. At its completion, it returns an uncorrupted identity 
J to be impersonated (along with other state information). Then, CP attempts the im- 
personation for J. Throughout, A is not allowed to submit queries involving corrupted 
identities (other than the original corrupting queries). Additionally, CP is not allowed 
to submit queries involving J. For atk G {pa, aa, ca}, the imp-atk advantage of A in 
attacking IBI is written as and is defined to be the probability of A 

winning in the above experiment. We say that IBI is an imp-atk-secure IBI scheme if 
(•) is negligible for every polynomial-time A. Details are in [2]. 
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3 Convertible Schemes and Our Transforms 



In analogy with the dehnition of trapdoor signature schemes [9], we define the concept 
of convertible identification schemes and show how to transform these into IBI schemes. 
We use a slightly more general concept than the trapdoor one-way permutations used 
by [9] that we will call trapdoor samplable relations. A relation R is a set of ordered 
pairs {x,y) G Dom(R) x Ran(R). We write the set of images of a; G Dom(R) as 
R(x) = {y I {x,y) G R} and the set of inverses of y G Ran(R) as R~^(y) = 
{x I \x,y) G R}. 

Definition 1. A family of trapdoor samplable relations F is a triplet of polynomial-time 
algorithms (TDG, Sample, Inv) such that the following properties hold: (1) Efficient 
generation: On input 1^, where k G N is the security parameter, TDG outputs the de- 
scription (R) of a relation R in the family together with its trapdoor information t; 
(2) Samplability: The output of the algorithm Sample on an input (R) is uniformly 
distributed over R; (3) Inversion: On input a relation description (R), the correspond- 
ing trapdoor t, and an element y G Ran(R), the randomized algorithm Inv outputs a 
random element o/R~^(y); (4) Regularity: Every relation R in the family is regular, 
meaning that the number of inverses |R~^(y)| is the same for all y G Ran(R). | 

Note that this definition does not ask that any computational problem relating to the 
family be hard. (For example, there is no “one-wayness” requirement.) We do not need 
any such assumption. 

Definition 2. A SI scheme SI = (Kg, P,V) is said to be convertible if there exists a 
family of trapdoor samplable relations F = (TDG, Sample, Inv) such that for all k G N 
the output of the following is distributed identically to the output o/Kg(l^).‘ 

i(R),t) A TDG(1'=) ; (x,y) Sample((R)) ; 
pk ^ ((R) , y) ; sk ^ ((R) , x) ; Return {pk, sk) | 

The following describes the cSI-2-IBI transform of a convertible SI (cSI) scheme into 
an IBI scheme. The idea is that to each identity I we can associate a value that is 
derivable from the master public key and I. This value plays the role of a public key 
for the underlying cSI scheme. This “pseudo-public-key” is ((R) , H(/)), where H is a 
random oracle. 



Construction 1. Let SI = (Kg, P, V) be a cSI scheme, and let F = (TDG, Sample, 
Inv) be the family of trapdoor samplable relations that underlies it as per Dehnition 2. 
The cSI-2-IBI transform associates to SI the random-oracle model IBI scheme IBI = 
(MKg, UKg, P, V) whose components we now describe. The master and user key gen- 
eration algorithms are dehned as 



Algorithm MKg(l^) 

((R),t)4^TDG(l'=) 
mpk <— (R) ; msk <- 
Return (mpk, msk) 



((R),t) 



Algorithm UKg(msk,/ : H) 
Parse msk as ( (R) , t) 

X lnv((R) , t, H(/)) ; usk 
Return usk 



((R),a:) 
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where H : {0, 1}* ^ Ran(R) is a random oracle. The prover algorithm P is identical 
to P. The verifier algorithm V(-, • : H) parses its initial state as ((R) , /) and runs V on 
initial state ((R) , H(/)). | 

The following theorem, proved in [2], says that cSI-2-IBI is security-preserving. 

Theorem 1. Let ST be a cSI scheme and let XBX = cSI-2-IBI(5X) be the associated 
IBI scheme as per Construction 1. For any atk S {pa, aa, ca}, if SX is imp-atk secure 
then XBX is imp-atk secure. 

Convertibility of a standard signature (SS) scheme SS = (Kg, Sign,Vf) is defined by 
analogy to Definition 2. (The condition is only on the key-generation algorithm.) The 
cSS-2-IBS transform is defined analogously to the cSI-2-IBI transform: given a con- 
vertible SS (cSS) scheme SS = (Kg, Sign, Vf), the transform yields an IBS scheme 
XBS = (MKg, UKg, Sign,Vf) where the master and the user key generators are ex- 
actly as in Construction 1, and Sign(usk, •) and Vf(mpk, • : H) are identical to 
Sign(usk, •) and Vf((mpk, H(/)), •, •), respectively. The proof of the following ana- 
logue of Theorem 1 is similar to the proof of Theorem 1 and is thus omitted. 

Theorem 2. LetSS be a cSS scheme and let XBS = cSS-2-IBS(55) be the associated 
IBS scheme as defined above. IfSS is uf-cma secure then XBS is also uf-cma secure. 

One can check that any trapdoor SS (tSS) scheme as defined in [9] is a cSS scheme, and 
their tSS-2-IBS transform coincides with cSS-2-IBS in case the starting cSS scheme is 
trapdoor. Thus, Theorem 2 represents a (slight) extension of their result. However, the 
extension is important, for we will see cases of cSS schemes that are not trapdoor and 
where the extension is needed. 

We know that, if SX is an imp-pa secure SI scheme, then fs-l-2-S(5X) is a uf-cma 
secure SS scheme [1]. It is also easy to see that the fs-l-2-S transform of a cSI scheme 
is a cSS scheme. Combining this with Theorem 2 yields the following, which will be 
our main tool to prove security of IBS schemes. 

Corollary 1. Let SX be a cSI scheme, and let XBS = cSS-2-IBS(fs-l-2-S(5X)). IfSX 
is imp-pa secure then XBS is uf-cma secure. 

Above, it is assumed that SX is a three-move, public coin protocol (so that one can 
apply fs-l-2-S to it) and also that the commitment (first move of the prover) is drawn 
from a space of super-polynomial size (so that the result of [1] applies). An SI or IBI 
scheme having these properties is called canonical. 

One can also apply the fs-l-2-S transform to a canonical IBI scheme to obtain an IBS 
scheme, and one can check that cSS-2-IBS(fs-l-2-S(5X)) = fs-l-2-S(cSI-2-IBI(5X)) 
for any canonical cSI scheme SX. It follows that fs-l-2-S yields a uf-cma secure IBS 
scheme if it is applied to a converted IBI scheme, meaning one that is obtained as the 
result of applying cSI-2-IBI to some (canonical) cSI scheme. However, one can also 
apply fs-l-2-S to a canonical IBI scheme that is not converted and get an IBS scheme, 
and there will be instances later where we would like to do this. Unfortunately, the IBS 
scheme so obtained need not be secure, in the sense that the analogue of the result of 
[1] does not hold, as stated below and proved in [2]. 
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Proposition 1. Assume there exists an imp-pa secure canonical IBI scheme. Then, there 
exists an imp-pa secure canonical IBI scheme XBX such that Is-\-2-S{XBX) is not uf- 
cma secure. 

We now provide a remedy for the above. We consider a modified version of the fs-l-2-S 
transform that hashes the identity of the signer (prover) along with the commitment and 
message, rather than merely hashing the commitment and message as in fs-l-2-S. We 
can show (by an extension of the proof of [1] that we omit) that, if this transform is 
applied to a canonical imp-pa secure IBI scheme, then the outcome is a uf-cma secure 
IBS scheme. We apply this in [2] to obtain uf-cma secure IBS schemes from the two 
unconverted IBI schemes we consider, namely OkDL-IBI and BNN-IBI. 



4 Applying the Framework 

We now apply the above transform-based framework to prove security of existing and 
new IBI and IBS schemes. To do this, we consider numerous SI schemes. (Some are 
known. Some are new.) We show that they are convertible, and then analyze their secu- 
rity. The implications for corresponding IBI and IBS schemes, obtained via the trans- 
forms discussed above, follow from Theorem 1 and Corollary 1. Figure 3 presents the 
key generation algorithms of the SI schemes we consider, and Figure 4 presents the 
corresponding identification protocols. 

Generators. The key generation algorithms shown in Figure 3 make use of param- 
eter generation algorithms: /Cfact for factoring-based schemes, /Crsa for RSA-based 
schemes, /Cdiog for DL-based schemes and /Cpair for pairing based schemes. These 
are randomized polynomial-time algorithms that on input produce the following 
outputs: /Cfact generates tuples {N,p, q) such that p, q are primes and N = pq\ /Crsa 
outputs {N, e, d) such that N is the product of two primes and ed = 1 mod 
/Cdiog outputs the description of a multiplicative group G, its prime order q and a gener- 
ator g; /Cpair generates the description of an additive group Gi and a multiplicative G 2 
of the same prime order q, a generator P of Gi and a non- degenerate, polynomial-time 
computable bilinear map e: Gi x Gi ^ G 2 . We say that /Crsa is a prime-exponent 
generator if e is always a prime. Security results will make various assumptions about 
the computational problems underlying these generators. 

Hash eunction ranges. In applying cSI-2-IBI to FS-SI, we assume the hash func- 
tion in Construction 1 has range the set of quadratic residues modulo N where N is 
the modulus in the public key. This is a convenient abstraction in the random-oracle 
model, but note that implementing such a hash function is difficult since the range is 
not decidable in polynomial-time. However, this is a standard problem in this domain 
and various standard changes to the scheme take care of it. The same problem arises 
for several other schemes below as well, and also arises in [9]. We will not mention it 
again, but instead assume our random-oracle hash functions have whatever ranges we 
need. Those usually being obvious from the scheme are not discussed explicitly. 

FS AND ItR. Since FS-SI is the special case of ItR-SI in which m = 1, it suffices to 
show that the latter is convertible. This is easily seen by considering the relation R = 
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FS 

(iV,P,9)^-^fact(l'=) 
For i = 1 ... t do 

Xi ^ 

Xi <— Xi~'^ mod N 
pk^iN, {Xi,...,Xt)) 
sk ^ {N, {xi, . . . ,xt)) 


ItR 

(iV,P,9)^-^fact(l'=) 
For i — 1 ... t do 

Xi <— Xi~"^ mod N 
pk^{N, iXi,...,Xt)) 
sk ^ (N, {xi, . . . ,xt)) 


GQ, Sh, Sh* 

(7V,e,d) ^l/C.sa)!'') 

x<^Z*jq 

X ^x‘^ mod N 
pk^{{N,e),X) 
sk ^ {{N,e),x) 


FF 

(iV,P,9)^-^fact(l'=) 
Choose T > rj(p, g) — 1 

g ^ HQR^ 

4^ Z2". ■, X2^1*N 

X ^ mod N 

pk ^ {{N,T,g),X) 
sk ^ {{N,T,g), (xi,X 2 )) 


Gir 

(iV,e,d,/)4l/C.sa(l'=) 
Choose g £ of order / 

h ^ g‘^ mod N ■, s ^ Zf 
X<^Z% 

S g-‘ mod N 
P ^ X~‘^S mod N 
pk^{{N,e,h,f),X) 
sk^{{N,e,h,f),iP,s)) 


OkRSA 

(W,e,d) ^l/C.sa)!'') 
g^Z% 

Xl^Z,-X2^ Z% 

X ^ mod N 

pk^{{N,e,g),X) 
sk <- {{N,e,g), [xi,X 2 )) 


SDK, Hs, ChCh 

(Gl,G2,g,P,e)^k:pair(l'') 
s,u^Zq-, S ^ sP 
U ^ uP ; V ^ suP 
pk^ i(Gi,G 2 ,q,P,e,S),U) 
sk<- {{Gi,G 2 ,q,P,e,S),V) 


Beth 

(G,g,3)4l/Cdiog(l") 
r ^ Zq ■ R ^ g^ ■ x,h ^ Zg ■ X ^ g^ 
s ^ {h — Rx)r~^ mod q 
pk ^ {{G,q,g,X),h) 
sk <- {{G,q,g,X), {R,s)) 



Fig. 3. Key generation algorithms of the 12 cSI schemes that we consider. Each takes 
input and returns (pk, sk). The integers m,t > 1 where used are scheme parameters. 
See the text for notation used above. 



{((xi, . . . , Xt), (^ 1 , . . . , Xt)) I Xi = x~^ mod for i = 1, . . . , f} with description 
(R) = N and trapdoor (p, q). Pair sampling involves selecting random elements from 
Z^, raising them to the 2™-th power, and inverting them modulo N . 

We note that FS-IBI = cSI-2-IBI(FS-SI) is exactly the IBI scheme in [11] and 
FS-IBS = cSS-2-IBS(fs-l-2-S(FS-SI)) is exactly the IBS scheme in [11]. We know 
that FS-SI is imp-pa and imp-aa secure assuming factoring is hard [10], and this easily 
extends to imp-ca. Theorem 1 implies that FS-IBI inherits these security attributes. 
(Corollary 1 implies uf-cma security of FS-IBS assuming factoring is hard, but this 
was known [9].) 

We know that ItR-SI is imp-pa and imp-aa secure assuming factoring is hard [30, 
28]. Theorem 1 implies that ItR-IBI = cSI-2-IBI(ltR-SI) is imp-pa and imp-aa secure 
assuming factoring is hard. (Corollary 1 implies that ItR-IBS = cSS-2-IBS(fs-l-2-S( 
ItR-SI)) is uf-cma assuming factoring is hard, but this was known [9].) Whether ItR-SI 
is imp-ca secure, and hence whether ItR-IBI is imp-ca secure, remains open. 
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Scheme 


Cmt 


Rsp 




Ch 


Accept condition 


FS 


y ^ Z*m\Y ^ mod N 


^ ^ yWi Hiod N 




c = (ci, . . . ,Ct) ^ ^2 


Accept iff y = Hi ^ 


ItR 


y ^ Z*j^-Y ^ y^'" mod A 


^ ^ yWi Kiod ^ 




c = {ci, . . . ,Ct) ^ lAm. 


Accept iff y = Hi Kiod ^ 


FF 


yi 4I Z2^+. 


zi ^ yi + cxi mod 2™'+'^ 






L(J/i+c®i)/ 2'"+"J 




Y ^ g^^yi ^ mod N 


Z2 <— g°^y2X2 mod A ; 2 <— 2:1, 2:2 






Accept iff 3^1 = yX= mod A 


Sh 


y ^ ^ y^ mod N 


2 ^ mod A 




{0 ,..., 2 '« - 1} 


Accept iff 2*= = Ay = mod A 


Sh* 


y ^ Zlf-,Y ^ y<^ mod N 


2 ^ xy^ mod A 




2'W} 


Accept iff 2*= = Ay = mod A 


GQ 


y ^ Z*m\Y ^ y’^ mod N 


2 <— x'^y mod A 




{0, 


Accept iff 2*= = A=y mod A 


OkRSA 


yi^Ze 


zi ^ yi + cxi mod e 






« ^ i(yi + ca;i)/ej 




Y ^ g^^yi mod N 


22 ^ g°‘y2X2 mod A 




{0, 1}*« 


Accept iffy = ff^i2|A= mod A 


Gir 


y ^Zf-Y ^ mod N 

Cmt ^ (P, Y) 


z ^ y + sc mod / 




{0, 


Accept iff h^iP’^Xy = Y mod A 


SDK 


y^Z.-Y^yP 


2 <— yc -F y 




c<^Gi 


Accept iff e{z, P) = e{U, S)e{c, Y) 


Hs 


y^Zp,Y^e{P,P)y 


z ^ yP + cV 






Accept iff e(2, P) = Y ■ e{U, Sy 


GhCh 


yAz,-Y^yU 


z<- {y + c)V 






Accept iff e{z, P) = e(Y -F cU, S) 


Beth 


y^Z,-Y^R-y 
Cmt ^ (P, Y) 


2 <— y -F cs mod q 




{0, 


Accept iff = P^yA=-^ 



Fig. 4. Identification protocols of the 12 cSI schemes that we consider. We show the 
hrst commitment message Cmt sent by the prover, the challenge Ch sent by the verifier, 
the response Rsp returned by the prover, and the condition under which the verifier 
accepts. All schemes use Cmt = Y, Ch = c and Rsp = 2 unless explicitly defined 
otherwise. The prover is initialized with sk and the verifier with pk. The integers m,t > 
1, and the challenge length 1: N ^ N, where used, are scheme parameters. In Sh-SI, 
Sh*-SI, GQ-SI, and Gir-SI, it is assumed that 2*^^^ < e for all e output by /Crsa(l^)- 
All security results assume I is super-logarithmic. /Crsa is a prime-exponent generator 
in Sh-SI, Sh*-SI, and GQ-SI. 
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FF. The FF-SI scheme was introduced by [12] as a fix to an attack they found on a 
scheme in [21], In the key-generation algorithm of Figure 3, rj{p) denotes the largest 
integer such that divides^ — 1 and r]{p, q) = ma,x{rj{p) , r]{q)) . FF-SI is shown in 
[12] to be imp-pa, imp-aa, and imp-ca secure assuming factoring is hard. The authors 
defined no IBI or IBS schemes. We can show that FF-SI is convertible, and we thus 
obtain FF-IBI = cSI-2-IBI(FF-SI) and FF-IBS = cSS-2-IBS(fs-l-2-S(FF-SI)), and 
these are secure if factoring moduli generated by /Cfact is hard. 

Let HQRjy = mod N \ x G denote the set of higher quadratic 

residues modulo N, which is also the subset of elements of of odd order. To show 
convertibility of FF-SI we consider the relation R C (Z 2 m x Z^) x HQR^ described 
by (N,g,T) and containing tuples {{xi, X 2 ), X) such that g^^X 2 ^ = X mod N. 

The trapdoor is the factorization of N. Regularity holds since squaring is a permutation 
over HQR^ and since each higher quadratic residue has exactly different 

2^+™-th roots modulo N. Pair sampling involves choosing a;i, a ;2 at random and com- 
puting 

GQ. The GQ-SI scheme defined via Figures 3 and 4 is the standard one consid- 
ered in the literature. Convertibility is easily seen by considering the relation R = 
{{x^X) \ x^ = X mod N}, relation description (R) = {N,e), and trapdoor d. Pair 
sampling involves choosing x and computing X ^ x^ mod N. We note 

that GQ-IBI = cSI-2-IBI(GQ-SI) is exactly the IBI scheme in [16], and GQ-IBS = 
cSS-2-IBS(fs-l-2-S(GQ-SI)) is exactly the IBS scheme in [16]. We know that GQ-SI 
is imp-pa secure assuming RSA is one-way, and imp-aa and imp-ca secure assuming 
hardness of the one-more-RSA problem [4]. Theorem I says that these results extend 
to GQ-IBI. (Also Corollary I says that GQ-IBS is uf-cma assuming RSA is one-way, 
but this was known [9].) 

Sh AND Sh*. Shamir [29] defined an IBS scheme, but no SI or IBI schemes. He gave 
no security proof for his IBS scheme, and none has been provided until now. 

We surface the SI scheme Sh-SI defined via Figures 3 and 4. One can check that 
Sh-IBS = cSS-2-IBS(fs-l-2-S(Sh-SI)) is exactly the IBS scheme in [29]. Sh-SI is in- 
teresting both historically and technically. It turns out to be a “mirror-image” of GQ-SI 
that closely resembles the latter. Convertibility of Sh-SI follows from the convertibil- 
ity of GQ-SI since the two schemes have the same key-generation algorithm. Coming 
to consider security, the first question to ask is whether Sh-SI is honest-verifier zero- 
knowledge (HVZK). While this was obvious for GQ-SI (and in fact, if true for an SI 
scheme, is usually obvious), it is in fact not apparent at first glance for Sh-SI, and one 
might suspect that the scheme is not HVZK. However, using a trick involving gcds, we 
show that Sh-SI is statistical (not perfect) HVZK. We also show, in [2], that it is a proof 
of knowledge and thereby obtain the following: 

Theorem 3. The Sh-SI is imp-pa secure assuming one-wayness of the underlying RSA 
key generator /Crsa- 

Corollary 1 now implies that Sh-IBS is uf-cma secure under the same assumptions. 

However, Sh-SI scheme is trivially insecure under active attacks, since the cheating 
verifier can learn the secret key by sending a zero challenge. But this minor weakness is 
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easily fixed by “removing” the zero challenge. We define via Figures 3 and 4 a modified 
scheme we denote Sh*-SI. This scheme turns out to have security attributes analogous 
to those of GQ-SI in that we can show the following; 

Theorem 4. The Sh*-SI scheme is imp-pa secure assuming one-wayness of the under- 
lying RSA key generator /Crsa. and imp-aa and imp-ca secure assuming the one-more- 
RSA problem relative to /Crsa is hard. 

The proof of this theorem is in [2]. We obtain the usual consequences for Sh*-IBI = 
cSI-24BI(Sh*-SI) andSh*-IBS = cSS-2-IBS(fs-l-2-S(Sh*-SI)). 

OkRSA. Okamoto [21] presented an RSA-based SI scheme and a related RSA-based 
IBl scheme. He proved the former imp-pa and imp-aa secure assuming factoring is hard, 
and the proofs extend to establish imp-ca as well. However, he did not prove the IBI 
scheme secure, a gap we fill. 

The OkRSA-SI scheme defined via Figures 3 and 4 is the above-mentioned SI 
scheme. Notice that OkRSA-IBI = cSI-2-IBI(0kRSA-SI) is exactly the RSA-based 
IBI scheme in [21]. To show security of OkRSA-IBI and OkRSA-IBS = cSS-2-IBS 
(fs-l-2-S(0kRSA-SI)), it suffices to show that OkRSA-SI is convertible. For this, 
the relation has description (R) = (N,e,g), and contains tuples {{xi,X2),X) G 
(Ze X Ufi) X such that X = g^^X 2 mod N. The trapdoor is d such that 
ed = 1 mod ip{N). Pair sampling involves choosing xi,X 2 at random and comput- 
ing A EE g^^x^. 

Gir. In [13], Girault proposed an SI scheme that we have defined via Figures 3 and 4 
and named Gir-SI. He also proposed a related IBI scheme. (These schemes are inspired 
by the Schnorr identification scheme [27] but use a modulus N = pq where p, q are of 
the special form p = 2fp' -f 1 and q = 2fq' -\- 1 such that /, p' ,q' ,p,q are all primes.) 
This IBI scheme did not use hash functions, which lead to an attack and later a fix [25]. 
The fixed IBI scheme turns out to be exactly Gir-IBI = cSI-2-IBI(Gir-SI). 

Gir-SI is convertible with relation R = {((P, s), A) | P*^ = X~^h~^ mod N} 
described by {N, e, h, /). The trapdoor is d= e~^ mod ip{N). Pair sampling involves 
choosing P and s at random and computing X as P~^h~“ mod N . However, this does 
not help here because we found that all schemes in the family are insecure. In particular, 
Gir-SI is not even imp-pa secure, and neither is the fixed IBI scheme Gir-IBI. The 
signature scheme Gir-IBS = cSS-2-IBS(fs-l-2-S(Gir-IBI)) is not uf-cma secure either. 

We attack only the Gir-IBS scheme, since the insecurity of the SI, IBI, and SS 
schemes then follows. In the Gir-IBS scheme, a signature of a user / on a message M 
under the master public key mpk = {N, e, h, /) is a tuple (P, Y, z) such that Y = 
h^{P^ ■ mod N. Given a valid signature (Pi, Yi,zi) for message 

Ml and identity I, an adversary can forge I’s signature for any message M 2 as follows. 
If first computes ^2 ^ mod f,g^ mod N, and S ^ (P*^ • Hi(/))‘^^ mod 
N. Then, it chooses S 2 from Zy and computes P 2 ^ P\S~^ g~“'^ mod N . To obtain 
the forgery, it chooses y 2 from Zg, lets I 2 ^ mod N, computes Z 2 2/2 + 
S 2 H 2 (P 2 ||T 2 ||M 2 ) mod /. The forgery is (P 2 , 12 , 22 )- 

It is natural to consider counteracting the above attack by removing / from the 
public key. While this might work for the SI scheme, it does not for the IBI (or IBS) 
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scheme. The reason is that, since / still has to be included in each user’s secret key, an 
adversary can easily extract it by corrupting one identity. 

We stress that the scheme broken here is not the (perhaps better-known) SI scheme 
by Girault based on discrete logarithms [14]. 

Pairing-based schemes. Many recent papers propose pairing-based IBS schemes 
[26, 8, 32, 23, 17] (the schemes independently published by [8] and [32] are actually 
equivalent). Barring [8], none of these papers prove their scheme secure. (Some proofs 
in weak models were however provided in [17, 32].) However, the scheme of [17] was 
proven secure in [9] . 

None of these papers define SI or IBI schemes. We surface SOK-SI (from [26]), 
ChCh-SI (from [8, 32]) and Hs-SI (from [17]), as defined by Figures 3 and 4. The 
ChCh-IBS = cSS-2-IBS(fs-l-2-S(ChCh-SI)) and Hs-IBS = cSS-2-IBS(fs-l-2-S(Hs-SI)) 
schemes are exactly the original IBS schemes, while SOK-IBS = cSS-2-IBS(fs-l-2-S 
(SOK-SI)) is slightly different from the scheme of [26]. 

We now show that all these pairing-based SI schemes are convertible. Since they all 
have the same key-generation algorithm, a common argument applies. The relation is 
{{V,U) G Gi X Gi I e{V,P) = e([7, S')}, described by (R) = (Gi, G 2 , g, P, e, S). 
The trapdoor is s such that S = sP. Pair sampling involves choosing r ^ Zq and 
computing the pair {rP, rS). The following is proved in [2]. 

Theorem 5. SOK-SI and ChCh-SI are imp-pa secure assuming that the computational 
Diffie-Hellman problem in the group Gi associated to /Cpair is hard. 

Corollary 1 implies that ChCh-IBS, SOK-IBS and Hs-IBS are uf-cma secure IBS sche- 
mes, but of these only the result about SOK-IBS is new. However, we prove the follow- 
ing in [2]: 

Theorem 6. ChCh-SI and Hs-SI are imp-aa and imp-ca secure assuming that the one- 
more computational Diffie-Hellman problem in the group Gi associated to /Cpair is 
hard. 

Theorem 1 implies that the ChCh-IBI and Hs-IBI schemes are imp-aa and imp-ca se- 
cure assuming that the one-more computational Diffie-Hellman problem in the group 
Gi associated to /Cpair is hard. Thus, we obtain new, pairing-based IBI schemes with 
proofs of security. 

SOK-SI and SOK-IBI are insecure under active or concurrent attacks: upon re- 
ceiving a commitment Y, an adversary can choose d Zq, submit c ^ c'P as the 
challenge, and compute the prover’s secret key from the response z as H ^ z — cY. 

Beth. The Beth-SI scheme defined via Figures 3 and 4 was surfaced from [6]. Beth-IBI 
= cSI-2-IBI(Beth-SI) is a more efficient version of the IBI scheme actually presented 
in [6]. In these schemes, the prover proves knowledge of an ElGamal signature of his 
identity. Beth [6] gives no security proofs, but here we obtain one for Beth-IBI. 

The Beth-SI scheme is convertible with the relation {((/?, s),/i) G (G x Zg) x 
Zq I = g^} described by (R) = (G, q,g,X). The trapdoor is x such that g^ = 

X. Pair sampling involves choosing a, b at random from Zq and letting R ^ X°‘g^, 
s ^ a~^R mod q and h ^ bs mod q. In [2], we prove the following: 
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Theorem 7. Beth -SI is imp-pa secure assuming that the hashed-message ElGamal sig- 
nature scheme associated to /Cdiog is universally unforgeable under no-message attacks 
in the random oracle model. 

While the hashed-message ElGamal signature scheme has never been formally proven 
secure, we note that universal forgery under no-message attacks is a very weak security 
notion for signature schemes and that a close variant of hashed-message ElGamal was 
proven uf-cma secure under the discrete log assumption in [24]. Now, Theorem 1 im- 
plies that Beth-IBI inherits the above security attributes, and Corollary 1 implies that 
Beth-IBS = cSS-2-IBS(fs-l-2-S(Beth-SI)) is uf-cma secure under the same assump- 
tions. The imp-aa and imp-ca security of Beth-SI remains open. 



Acknowledgments 

We thank Marc Eischlin for pointing out that the Sh-SI scheme is zero-knowledge. The 
first author is supported in part by NSE grants CCR-0098123, ANR-0129617, CCR- 
0208842, and an IBM Eaculty Partnership Development Award. The second author is 
supported in part by the above-mentioned grants of the first author. The third author 
is supported by a Research Assistantship and travel grant from the Eund for Scientific 
Research - Elanders (Belgium). 



References 

[1] M. Abdalla, J.H. An, M. Bellare, and C. Namprempre. From identification to signatures 
via the Fiat-Shamir transform: Minimizing assumptions for security and forward-security. 
In L. Knudsen, editor, EUROCRYPT 2002, volume 2332 ofLNCS, pages 418^33. Spring- 
er- Verlag, April 2002. 

[2] M. Bellare, C. Namprempre, and G. Neven. Security proofs for identity-based identification 
and signature schemes, http://www.cse.ucsd.edu/users/mihir/crypto-research-papers.html, 
February 2004. 

[3] M. Bellare, C. Namprempre, D. Pointcheval, and M. Semanko. The one-more-RSA- 
inversion problems and the security of Chaum’s blind signature scheme. J. Cryptology, 
16(3):185-215, June 2003. 

[4] M. Bellare and A. Palacio. GQ and Schnorr identification schemes: Proofs of security 
against impersonation under active and concurrent attack. In M. Yung, editor, CRYPTO 
2002, volume 2442 of LNCS, pages 162-177. Springer- Verlag, August 2002. 

[5] M. Bellare and P. Rogaway. Random oracles are practical: A paradigm for designing effi- 
cient protocols. In ACM, editor, Proc. of the 1st CCS, pages 62-73. ACM Press, November 
1993. 

[6] T. Beth. Efficient zero-knowledged identification scheme for smart cards. In C. Gun- 
ther, editor, EUROCRYPT 1988, volume 330 of LNCS, pages 77-86. Springer- Verlag, May 
1988. 

[7] D. Boneh and M. Franklin. Identity-based encryption from the Weil Pairing. In J. Kilian, 
editor, CRYPTO 2001, volume 2139 of LNCS, pages 213-229. Springer- Verlag, August 
2001 . 

[8] J.C. Cha and J.Fl. Cheon. An identity-based signature from gap diffie-hellman groups. 
In Y. Desmedt, editor, PKC 2003, volume 2567 of LNCS, pages 18-30. Springer- Verlag, 
January 2003. 




Security Proofs for Identity-Based Identification and Signature Schemes 285 



[9] Y. Dodis, J. Katz, S. Xu, and M. Yung. Strong key-insulated signature schemes. In 
Y. Desmedt, editor, PKC 2003, volume 2567 of LNCS, pages 130-144. Springer- Verlag, 
January 2003. 

[10] U. Feige, A. Fiat, and A. Shamir. Zero knowledge proofs of identity. J. Cryptology, 
l(2):77-94, 1988. 

[11] A. Fiat and A. Shamir. How to prove yourself: Practical solutions to identification and 
signature problems. In A. Odlyzko, editor, CRYPTO 1986, volume 263 of LNCS, pages 
186-194. Springer- Verlag, August 1986. 

[12] M. Fischlin and R. Fischlin. The representation problem based on factoring. In B. Preneel, 
editor, CT-RSA 2002, volume 2271 of LNCS, pages 96-113. Springer- Verlag, February 
2002 . 

[13] M. Girault. An identity-based identification scheme based on discrete logarithms modulo a 
composite number. In I. Damgard, editor, EUROCRYPT 1990, volume 473 of LNCS, pages 
481^86. Springer- Verlag, May 1990. 

[14] M. Girault. Self-certified public keys. In D. Davies, editor, Tst/ROCRTPr 7997, volume 
547 of LNCS, pages 490-497. Springer- Verlag, April 1991. 

[15] S. Goldwasser, S. Micali, and R. Rivest. A digital signature scheme secure against adaptive 
chosen-message attacks. SIAM J. Computing, 17(2):281-308, April 1988. 

[16] L. Guillou and J. J. Quisquater. A “paradoxical” identity-based signature scheme resulting 
from zero-knowledge. In S. Goldwasser, editor, CRYPTO 1988, volume 403 of LNCS, 
pages 216-231. Springer- Verlag, August 1989. 

[17] F. Hess. Efficient identity based signature schemes based on pairings. In K. Nyberg and 

H. Heys, editors. Selected Areas in Cryptography, SAC 2002, pages 310-324. Springer- 
Verlag, February 2003. 

[18] K. Kurosawa and S.-H. Heng. From digital signature to ID-based identification/signature. 
In PKC 2004. Springer- Verlag, 2004. 

[19] K. Ohta and T. Okamoto. A modification of the Fiat-Shamir scheme. In S. Goldwasser, ed- 
itor, CRYPTO 1988, volume 403 of LNCS, pages 232-243. Springer- Verlag, August 1990. 

[20] K. Ohta and T. Okamoto. On concrete security treatment of signatures derived from iden- 
tification. In H. Krawczyk, editor, CRYPTO 1998, volume 1462 of LNCS, pages 354-370. 
Springer- Verlag, August 1998. 

[21] T. Okamoto. Provably secure and practical identification schemes and corresponding sig- 
nature schemes. In E. Brickell, editor, CRYPTO 1992, volume 740 of LNCS, pages 31-53. 
Springer- Verlag, August 1992. 

[22] H. Ong and C. Schnorr. Fast signature generation with a Fiat Shamir-like scheme. In 

I. Damgard, editor, EUROCRYPT 1990, volume 473 of LNCS, pages 432^40. Springer- 
Verlag, May 1990. 

[23] K.G. Paterson. ID-based signatures from pairings on elliptic curves. Technical Report 
2002/004, lACR ePrint Archive, January 2002. 

[24] D. Pointcheval and J. Stem. Security arguments for digital signatures and blind signatures. 

J. Cryptology, 13(3):361-396, 2000. 

[25] S. Saeednia and R. Safavi-Naini. On the security of girault’s identification scheme. In 
H. Imai and Y. Zheng, editors, PKC 1998, volume 1431 of LNCS, pages 149-153. Spring- 
er- Verlag, Febmary 1998. 

[26] R. Sakai, K. Ohgishi, and M. Kasahara. Cryptosystems based on pairing. In SCIS 2000, 
Okinawa, Japan, January 2000. 

[27] C. Schnorr. Efficient identification and signatures for smartcards. In G. Brassard, editor, 
CRYPTO 1989, volume 435 of LNCS, pages 239-252. Springer- Verlag, August 1990. 

[28] C. Schnorr. Security of 2*-root identification and signatures. In N. Koblitz, editor, CRYPTO 
1996, volume 1109 of LNCS, pages 143-156. Springer- Verlag, August 1996. 




286 



Mihir Bellare, Chanathip Namprempre, and Gregory Neven 



[29] A. Shamir. Identity-based cryptosystems and signature schemes. In G.R. Blakely and 
D. Chaum, editors, CRYPTO 1984, volume 196 of LNCS, pages 47-53. Springer- Verlag, 
1984. 

[30] V. Shoup. On the security of a practical identification scheme. J. Cryptology, 12(4):247- 
260, 1999. 

[31] J. Stern, D. Pointcheval, J. Malone-Lee, and N.P. Smart. Flaws in applying proof method- 
ologies to signature schemes. In M. Yung, editor, CRYPTO 2002, volume 2442 of LNCS, 
pages 93-1 10. Springer- Verlag, August 2002. 

[32] X. Yi. An identity-based signature scheme from the weil pairing. IEEE Communications 
Letters, 7(2):76-78, 2003. 




Concurrent Signatures 



Liqun Chen^, Caroline Kudla^*, and Kenneth G. Paterson^** 

^ Hewlett-Packard Laboratories, Bristol, UK 
liqun . chen@hp . com 
^ Information Security Group 
Royal Holloway, University of London, UK 
{c. j .kudla, kenny.paterson}@rhul. ac.uk 



Abstract. We introduce the concept of concurrent signatures. These 
allow two entities to produce two signatures in such a way that, from 
the point of view of any third party, both signatures are ambiguous 
with respect to the identity of the signing party until an extra piece 
of information (the keystone) is released by one of the parties. Upon 
release of the keystone, both signatures become binding to their true 
signers concurrently. 

Concurrent signatures fall just short of providing a full solution to the 
problem of fair exchange of signatures, but we discuss some applications 
in which concurrent signatures suffice. Concurrent signatures are highly 
efficient and require neither a trusted arbitrator nor a high degree of in- 
teraction between parties. We provide a model of security for concurrent 
signatures, and a concrete scheme which we prove secure in the random 
oracle model under the discrete logarithm assumption. 

Keywords: Concurrent signatures, fair exchange, Schnorr signatures, 
ring signatures. 



1 Introduction 

The problem of fair exchange of signatures is a fundamental and well-studied 
problem in cryptography, with potential application in a wide range of scenarios 
in which the parties involved are mutually distrustful. Ideally, we would like the 
exchange of signatures to be done in a fair way, so that by engaging in a protocol, 
either each party obtains the other’s signature, or neither party does. It should 
not be possible for one party to terminate the protocol at some stage leaving the 
other party committed when they themselves are not. 

The literature contains essentially two different approaches to solving the 
problem of fair exchange of signatures. 

Early work on solving the problem was based on the idea of timed release or 
timed fair exchange of signatures [BNOO, EGL85, G83]. Here, the two parties sign 
their respective messages and exchange their signatures “little-by-little” using 
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a protocol. Typically, such protocols are highly interactive with many message 
flows. Moreover, one party, say B, may often be at an advantage in that he 
sometimes has (at least) one more bit of A’s signature than she has of B’s. This 
may not be a significant issue if the computing power of the two parties are 
roughly equivalent. But if B has superior computing resources, this may put 
him at a significant advantage since he may terminate the protocol early and 
use his resources to compute the remainder of ^’s signature, while it may be 
infeasible for A to do the same. Even if the fairness of such protocols could be 
guaranteed, they may still be too interactive for many applications. See [GP03] 
for further details and references for such protocols. 

An alternative approach to solving the problem of fair exchange of signatures 
involves the use of a (semi-trusted) third party or arbitrator T who can be called 
upon to handle disputes between signers. The idea is that A registers her public 
key with T in a one-time registration, and thereafter may perform many fair 
exchanges with other entities. To take part in a fair exchange with B, A creates 
a partial signature which she sends to B. Entity B can be convinced that the 
partial signature is valid (perhaps via a protocol interaction with A) and that 
T can extract a full, binding signature from the partial signature. However, the 
partial signature on its own is not binding for A. B then fulfils his commitment by 
sending A his signature, and if valid, A releases the full version of her signature 
to B. The protocol is fair since if B does not sign, then A’s partial signature 
is worthless to B, and if B does sign but A refuses to release her full signature 
then B can obtain it from T. The third party is only required in case of dispute; 
for this reason, protocols of this type are commonly referred to as optimistic 
fair exchange protocols. See [ASW98, ASWOO, BGLS03, BWOO, GS03, DR03, 
GJM99, PGS03] for further details of such schemes. 

The main problem with such an approach is the requirement for a dispute- 
resolving third party with functions beyond those required of a normal Gertifl- 
cation Authority. In general, appropriate third parties may not be available. 

It is our thesis that the full power of fair exchange is not necessary in many 
application scenarios. This paper introduces a somewhat weaker concept, which 
we name concurrent signatures. The cost of concurrent signatures is that they do 
not provide the full security guarantees of a fair exchange protocol. Their benefit 
is that they have none of the disadvantages of previous solutions: they do not 
require a special trusted third party^, and they do not rely on a computational 
balance between the parties. Moreover, our concrete realization is computation- 
ally and bandwidth efficient. Informally, concurrent signatures appear to be as 
close to fair exchange as it’s possible to get whilst staying truly practical and 
not relying on special third parties. 

1.1 Our Contributions 

We introduce the notion of concurrent signatures and concurrent signature pro- 
tocols. In a concurrent signature protocol, two parties A and B interact without 

® Our concurrent signatures will still require a conventional CA for the distribution of 
public keys, but not a trusted third party with any other special functions. 
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the help of a third party to sign (possibly identical) messages Ma and Mb in 
such a way that both A and B become publicly committed to their respective 
messages at the same moment in time (i.e. concurrently). This moment is deter- 
mined by one of the parties through the release of an extra piece of information 
k which we call a keystone. Before the keystone’s release, neither party is pub- 
licly committed through their signatures, while after this point, both are. In 
fact, from a third party’s point of view, before the keystone is released, both 
parties could have produced both signatures, so the signatures are completely 
ambiguous. 

Note that the party who controls the keystone k has a degree of extra power: 
it controls the timing of the keystone release and indeed whether the keystone 
is released at all. Upon receipt of B's signature as, A might privately show 
(Tb and fc to a third party C and gain some advantage from doing so. This 
is the main feature that distinguishes concurrent signatures from fair exchange 
schemes. In a fair exchange scheme, each signer A should either have recourse 
to a third party to release the other party B's signature or be assured that the 
B cannot compute A’s signature significantly more easily than A can compute 
B’s. With concurrent signatures, only when A releases the keystone do both 
signatures become simultaneously binding, and there is no guarantee that A 
will do so. However, in the real world, there are often existing mechanisms that 
can naturally be used to guarantee that B will receive the keystone should 
his signature be used. These existing mechanisms can provide a more natural 
dispute resolution process than reliance on a special trusted party. We argue 
that concurrent signatures are suited to any fair exchange application where: 

— There is no sense in A withholding the keystone because she needs it to 
obtain a service from B. For example, suppose B sells computers. A signs a 
payment instruction to pay B the price of a computer, and B signs that he 
authorizes her to pick one up from the depot (H’s signature may be thought 
of as a receipt). Then A can withhold the keystone, but as soon as she tries 
to pick up her computer, B will ask for a copy of his signature authorizing 
her to collect one. In this way B can obtain the keystone which validates H’s 
payment signature. In this example, the application itself forces the delivery 
of the keystone to B. 

— There is no possibility of A keeping B's signature private in the long term. 
For example, consider the routine “four corner” credit card payment model. 
Here C may be H’s acquiring bank, and H’s signature may represent a pay- 
ment to A that A must channel via C to obtain payment. Bank C would 
then communicate with H’s issuing bank D to obtain payment against B's 
signature and D could ensure that B's signature, complete with keystone, 
reaches B (perhaps via a credit card statement). As soon as B has the key- 
stone, A becomes bound to her signature. In this application, the back-end 
banking system provides a mechanism by which keystones would reach B if 
A were to withhold them. 

~ There is a single third party C who verifies both A and B's signature. Now, if 
A tries to present B's signature along with ktoC whilst withholding k from 
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B, B will be able to present ^’s signature to C and have it verified. As an 
application, consider the (perhaps somewhat artificial) scenario where A and 
B are two politicians from different parties who want to form a coalition to 
jointly release a piece of information to the press C in such a way that neither 
of them is identified as being the sole signatory to the release. Concurrent 
signatures seem just right for this task. Here the keystone is not necessarily 
returned to B, but it does reach the third party to whom B wishes to show 
A’s signature. 

We also consider an example where concurrent signatures provide a novel 
solution to an old problem: that of fair tendering of contracts (our signatures 
can also be used in a similar way in auction applications). Suppose that A has 
a bridge-building contract that she wishes to put out to tender, and suppose 
companies B and C wish to put in proposals to win the contract and build the 
bridge. This process is sometimes open to abuse by A since she can privately show 
B's signed proposal to C to enable C to better the proposal. Using concurrent 
signatures, B would sign his proposal to build the bridge for an amount X, 
but keep the keystone private. If A wishes to accept the proposal, she returns a 
payment instruction to pay B amount X. She knows that if B attempts to collect 
the payment, then A will obtain the keystone through the banking system. But A 
may also wish to examine C’s proposal before deciding which to accept. However 
there is no advantage for A to show B's signature to C since at this point H’s 
signature is ambiguous and so C will not be convinced of anything at all by 
seeing it. We see that the tendering process is immune to abuse by A. We note 
that this example makes use of the ambiguity of our signatures prior to the 
keystone release, and although the solution can be realized by using standard 
fair exchange protocols, such protocols do not appear to previously have been 
suggested for this purpose. 

Our schemes are not abuse-free in the sense of [BWOO, GJM99], since the 
party A who holds the keystone can always determine whether to complete 
or abort the exchange of signatures, and can demonstrate this by showing an 
outside party C the signature from B with the keystone before revealing the 
keystone to B. However the above example shows that abuse can be addressed 
by our schemes in certain applications. 



1.2 Technical Approach 

We briefly explain how a concurrent signature protocol can be built using the 
ambiguity property enjoyed by ring signatures [RSTOl, AOS02] and designated 
verifier signatures [JSI96]. This introduces the key technical idea of our paper. 

A two-party ring signature has the property that it could have been pro- 
duced by either of the two parties. A similar property is shared by designated 
verifier signatures. We will refer to any signature scheme with this property as 
an ambiguous signature scheme and we will formalize the notion of ambiguity 
for signatures in the sequel. Since either of two parties could have produced such 
an ambiguous signature, both parties can deny having produced it. However, we 
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note that if A creates an ambiguous signature which only either ^ or could 
have created, and sends this to B, then B is convinced of the authorship of the 
signature (since he knows that he did not create it himself). However B cannot 
prove this to a third party. The same situation applies when the roles of A and 
B are reversed. 

Suppose now that the ambiguous signature scheme has the property that, 
when A computes an ambiguous signature, she must choose some random bits 
Hb to combine with B’s public key, but that the signing process is otherwise 
deterministic. Likewise, suppose the same is true for B with random bits Ha 
(when the roles of A and B are interchanged) . Suppose A creates an ambiguous 
signature a a on Ma using bits hs that are derived by applying a hash function 
to a string k that is secret to H; hs is then a commitment to k. B can verify 
that A created the signature ua but not demonstrate this to a third party. Now 
B can create an ambiguous signature ctb on Mb using as its input Ha the same 
Hb that A used. Again, A can verify that B is the signer. As long as k remains 
secret, neither party can demonstrate authorship to a third party. 

But now if A publishes the keystone k, then any third party can be convinced 
of the authorship of both signatures. The reason for this is that the only way that 
B could produce (Tb is by following his signing algorithm, choosing randomness 
Ha and deterministically producing ctb. The existence of a pre-image k of H’s 
randomness Ha determines B as being the only party who could have conducted 
the signature generation process to produce gb - The same holds true for A and 
a A- Thus the pairs (fc, a a) and (fc, ub) amount to a simultaneously binding pair 
of signatures on A and B’s messages. We call these pairs concurrent signatures. 

We point out that Rivest et al. in their pioneering work on ring signatures 
[RSTOl] considered the situation in which an anonymous signer A wants to have 
the option of later proving his authorship of a ring signature. Their solution 
was to choose the bits Hb pseudo-randomly and later to reveal the seed used to 
generate /ib. In this work, we use the same trick for a new purpose: to ensure 
that either both or neither of the parties can be identified as signers of messages. 

We note that any suitably ambiguous signature scheme can be used to pro- 
duce a concurrent signature protocol. We choose to base our concrete scheme 
on the non-separable ring signature scheme of [AOS02]. This scheme is, in turn, 
an adaptation of the Schnorr signature scheme. A second concrete scheme can 
be built from the short ring signature scheme of [BGLS03] using our ideas. An 
earlier version of our scheme used the designated verifier signatures of [JSI96] 
instead, however it achieved slightly weaker ambiguity properties than our con- 
crete scheme. 

We give generic definitions of concurrent signatures and concurrent signature 
protocols, a suitably powerful multi-party adversarial model for this setting, and 
give a formal definition of what it means for such schemes and protocols to 
be secure. Security is defined via the notions of unforgeability, ambiguity and 
fairness. 

Because our concrete scheme is ultimately based on the Schnorr signature 
scheme [S91], we are able to directly relate its security to the hardness of the 
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discrete logarithm problem in an appropriate group. In doing this, we make use 
of the forking lemma methodology of [PS96, PSOO]; for this reason, our security 
proof will be in the random oracle model. 

2 Formal Definitions 

2.1 Concurrent Signature Algorithms 

We now give a more formal definition of a concurrent signature scheme. Our 
protocols are naturally multi-party ones, so our model assumes a system with a 
number of different participants that is polynomial in the security parameter 1. 

Definition 1. A concurrent signature scheme is a digital signature scheme com- 
prised of the following algorithms: 

SETUP: A probabilistic algorithm that on input a security parameter I, outputs 
descriptions of: the set of participants U , the message space A4, the signature 
space S, the keystone space 1C, the keystone fix space T , and a function 
KGEN : /C — > IF. The algorithm also outputs the public keys {Xi} of all 
the participants, each participant retaining their private key Xi, and any 
additional system parameters tt. 

ASIGN: A probabilistic algorithm that on inputs {Xi, Xj,Xi, h 2 ,M), where ft -2 C 
T , Xi and Xj yf Xi are public keys, Xi is the private key corresponding to 
Xi, and M G M., outputs an ambiguous signature cr = (s, on M, 
where s € S, /ii, /12 G X . 

AVERIFY: An algorithm which takes as input S = {a, Xi, Xj, M) , where 
a = {s,hi,hf), s G S, hi,h 2 G T, Xi and Xj are public keys, and M G 
Xi, outputs accept or reject. We also require that if a' = {s,h 2 ,h\), then 
AVERIFY{a', Xj,X„ M) = AVERIFY{a, Xi, Xj, M). We call this the sym- 
metry property of AVERIFY. 

VERIFY: An algorithm which takes as input (k,S) where k G 1C is a keystone 
and S is of the form S = {a, Xi, Xj, M) , where a = {s,h\,h 2 ) with s G 
S, hi,h 2 G T , Xi and Xj are public keys, and M G Xi. The algorithm 
checks if KGEN (k)= ft- 2 - If not, it terminates with output reject. Otherwise 
it runs AVERIFY{S) (in which case the output of VERIFY is just that of 
AVERIFY). 

We call a signature a an ambiguous signature and any pair (k, a), where A: is a 
valid keystone for cr, a concurrent signature. The obvious correctness properties 
for ambiguous and concurrent signatures are formalized in Section 3. 

2.2 Concurrent Signature Protocol 

We will describe a concurrent signature protocol between two parties A and 
E (or Alice and Bob). Since one party needs to create the keystone and send 
the first ambiguous signature, we call this party the initial signer. A party who 
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responds to this initial signature by creating another ambiguous signature with 
the same keystone fix we call a matching signer. Without loss of generality, we 
assume A to be the initial signer, and B the matching signer. From here on, we 
will use subscripts A and B to indicate initial signer A and matching signer B. 
The signature protocol works as follows: 

A and B run SETUP to determine the public parameters of the scheme. We 
assume that ^’s public and private keys are Xa and xa, and B's public and 
private keys are Xb and xb- 

1: A picks a random keystone k G K., and computes /= KGEN(fc). A takes her 
own public key Xa and B's public key Xb and picks a message Ma G M to 
sign. A then computes her ambiguous signature to be 

(TA = {sA,hAj)=ASlGX{XA,XB,XA,f,MA), 

and sends this to B. 

2: Upon receiving A’s ambiguous signature a a-, B verifies the signature by check- 
ing that AVF,RlFY{{sA,hA, f), Xa, Xb, Ma)= accept. If not B aborts, other- 
wise B picks a message Mb G M to sign and computes his ambiguous signature 

CTs = {sB,hB, f) = ASIGN(Xb, Xa, xb, f, Mb) 

and sends this back to A. Note that B uses the same value / in his signature as 
A did to produce ga- 

3: Upon receiving B's signature gb, A verifies that AVERIFY((ss, Hb, f), Xb, 
Xa, Mb) = accept, where / is the same keystone fix as A used in Step 1. If not, 
A aborts, otherwise A sends keystone k to B. 

Note that inputs {k, Sa) and {k, Sb) will now both be accepted by VERIFY, 
where Sa = {{sA,hA, f),XA,XB,MA) and Sb = {{sB,hB, f), Xb, Xa, Mb). 



3 Formal Security Model 

We present a formal security model for concurrent signatures in this section. 



3.1 Correctness 

We give a formal definition of correctness for a concurrent signature scheme. 

Definition 2. We say that a concurrent signature scheme is correct if the fol- 
lowing conditions hold. 

If G = {s,h\,f) = ASIGN{Xi, Xj,Xi, f, M), and S = {g, Xi, Xj, M) , then 
AVERIFY{S)= accept. Moreover, if KGEN{k) = / for some k G 1C, then 
VERIFY{k, S)= accept. 
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3.2 Unforgeability 

We give a formal definition of existential unforgeability of a concurrent signature 
scheme under a chosen message attack in the multi-party setting. To do this, 
we extend the definition of existential unforgeability against a chosen message 
attack of [GMR88] to the multi-party setting. Our extension is similar to that 
of [BOS] and is strong enough to capture an adversary who can simulate and 
observe concurrent signature protocol runs between any pair of participants. It 
is defined using the following game between an adversary E and a challenger C . 

Setup: C runs SETUP for a given security parameter I to obtain descriptions 
oiU, M, S, 1C, T, and KGEN ■. JC ^ T. SETUP also outputs the public and 
private keys {W} and {xi\ and any additional public parameters tt. E is 
given all the public parameters and the public keys {W} of all participants. 
C retains the private keys {xi}. 

E can make the following types of query to the challenger C: 

KGen Queries: E can request that C select a keystone k G 1C and return the 
keystone fix / = KGEN(fc). If E wishes to choose his own keystone, then he 
can compute his own keystone fix using KGEN directly. 

KReveal Queries: E can request that C reveal the keystone k that it used 
to produce a keystone fix / e in a previous KGEN query. If / was not a 
previous KGEN output then C outputs invalid, otherwise C outputs k where 
/ = KGEN(/c). 

ASign Queries: E can request an ambiguous signature for any input of the 
form {Xi,Xj,h 2 ,M) where /12 G E, Xi and Xj yf Xi are public keys 
and M G Xi. C responds with an ambiguous signature a = (s, /ii,/i 2 ) = 
ASIGN(Ai, Xj, Xi, h 2 ,M). Note that using ASign queries in conjunction with 
KGen queries, E can obtain concurrent signatures {k, a) for messages and 
pairs of users of his choice. 

AVerify and Verify Queries: Answers to these queries are not provided by 
C since E can compute them for himself using the AVERIFY and VERIFY 
algorithms. 

Private Key Extract Queries: E can request the private key corresponding 
to the public key of any participant Xi. In response C outputs Xi. 

Output: Finally E outputs a tuple cr = (s, hi,f) where s G S, h\,fGE, along 
with public keys Xc and Xd, and a message M G Xi. The adversary wins 
the game if AVERIFY((s, ft-i, /), Ac, M)= accept, and if either of the 
following two cases hold: 

1. No ASign query with input either of the tuples (Ac, Xd, /, M) or 

{Xd, Ac, hi, M) was made by E, and no Private Key Extract query was 
made by E on either Ac or Xd. 

2. No ASign query with input (Ac, Aj, /, M) was made by E for any Xi yf 
Ac, Ai Ghi, no Private Key Extract query with input Ac was made by 
E, and either / was a previous output from a KGen query or E produces 
a keystone k such that / = KGEN(/c). 
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Definition 3. We say that a concurrent signature scheme is existentially un- 
forgeable under a chosen message attack in the multi-party model if the prob- 
ability of success of any polynomially bounded adversary in the above game is 
negligible (as a function of the security parameter 1). 

Case 1 of the output conditions in the above game models forgery of an am- 
biguous signature in the situation where the adversary does not have knowledge 
of either of the respective private keys. This condition is required for our pro- 
tocol so that the matching signer B is convinced that ^’s ambiguous signature 
can only originate from A. Case 2 models forgery in the situation where the 
adversary knows one of the private keys and so applies to the situation in our 
protocol where one of the two parties attempts to cheat the other. More specif- 
ically, it covers attacks where an initial signer forges a concurrent signature by 
a matching signer, and where a matching signer has access to an initial signer’s 
ambiguous signature and keystone fix (but not the actual keystone) and forges 
a concurrent signature of the initial signer. 

A further point to note is that in case 2, we insist that no ASign query of the 
form {Xc,Xi, f,M) is made, for any Xi yf Xc,Xi G U. This is because, given 
a valid ambiguous signature cr = (s, hi, f) for public keys Xc and Xi, and the 
private keys of both Xi and Xd, it may be possible to create a valid ambiguous 
signature a' = {s',h\,f) with public keys Xc and Xd on a message M. This is 
certainly the case for our concrete scheme, but should not be considered as a 
useful forgery because an attacker does not succeed in changing who is actually 
bound by the signature: in this case Xc- 



3.3 Ambiguity 

Ambiguity for a concurrent signature is defined by the following game between 

an adversary E and a challenger C . 

Setup: This is as before in the game of Section 3.2. 

Phase 1: E makes a sequence of KGen, KReveal, ASign and Private Key Ex- 
tract queries. These are answered by C as in the unforgeability game of 
Section 3.2. 

Challeuge: Then E selects a challenge tuple {Xi,Xj,M) where Xi and Xj 
are public keys, and M & M is the message to be signed. In response, C 
randomly selects k G 1C and computes / = KGEN(/c), then randomly selects 
a bit 6 G {0,1}. C outputs ai = (si,hi,f) = ASlGX{Xi, Xj,Xi, f, M) if 
5 = 0; otherwise C computes a '2 = (s 2 ,/i 2 ,/) = ASlGX{Xj, Xi, xj, f, M) 
and outputs (J 2 = (s 2 , /, /i 2 )- 

Phase 2: E may make another sequence of queries as in Phase 1; these are 
handled by C as before. 

Output: Finally E outputs a guess bit b' G (0, 1}. E wins if 5' = 5 and E has 
not made a KReveal query on any of the values /, h\ or 52 . 
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Definition 4. We say that a concurrent signature scheme is ambiguous if no 
polynomially hounded adversary has advantage that is non-negligihly greater than 
1/2 of winning in the above game. 

We note that ambiguity in our concrete concurrent signature scheme will 
come directly from the ambiguity property of an underlying ring signature 
scheme. However the definition for ambiguity (or anonymity) in two-party ring 
signatures [RSTOl, BSS02, ZK02] states that an unbounded adversary should 
have probability exactly 1/2 of guessing b correctly. Our definition must be 
slightly weaker because in our ambiguous signatures, one of our h values is gener- 
ated by KGEN and is therefore at best pseudorandom. However, since we model 
KGEN by a random oracle when proving ambiguity for our concrete scheme, we 
achieve perfect ambiguity as in the stronger definition for ring signatures. 



3.4 Fairness 

We require the concurrent signature scheme and protocol to be fair for both 
an initial signer A, and a matching signer B. This concept is defined via the 
following game between an adversary E and a challenger C: 

Setup: This is as before in the game of Section 3.2. 

KGen, KReveal, ASign and Private Key Extract Queries: These que- 
ries are answered by C as in the unforgeability game of Section 3.2. 
Output: Finally E chooses the challenge public keys Xc and Xd, outputs a 
keystone k G 1C, and S = {a,Xc,Xd,M) where cr = {s,hi,f), s G S, hi, f G 
J-, and M G Xi, and where AVERIFY(S') = accept. The adversary wins the 
game if either of the following cases hold: 

1. If / was a previous output from a KGen query, no KReveal query on 
input / was made, and if (fc, S) is accepted by VERIFY. 

2. If E also produces S' = {a' , Xd, Xc, M'), with a' = {s',h[,f), s' G S, 
h'l, f G E, message M' G M, where AVERIFY(S") = accept, and {k, S) 
is accepted by VERIFY, but {k. S') is not accepted by VERIFY. 



Definition 5. We say that a concurrent signature scheme is fair if a polynomi- 
ally bounded adversary’s probability of success in the above game is negligible. 

Our definition of fairness formalizes our intuitive understanding of fairness 
for A in the protocol of Section 2.2 (in case 1 of the output conditions), since it 
guarantees that only the entity who generates a keystone can use it to create a 
binding signature (by revealing it). It also captures fairness for B (in case 2 of 
the output conditions), since it guarantees that any valid ambiguous signatures 
produced using the same keystone fix will all become binding. Thus B cannot 
be left in a position where a keystone binds his signature to him while A’s initial 
signature is not also bound to A. However note that our definition does not 
guarantee that B will ever receive the necessary keystone. 
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3.5 Security 

Definition 6. We say that a correct concurrent signature scheme is secure if 
it is existentially unforgeable under a chosen message attack in the multi-party 
setting, ambiguous, and fair. 

4 A Concrete Concurrent Signature Scheme 

We present a concrete concurrent signature scheme in which the underlying am- 
biguous signatures and the resulting concurrent signatures are obtained by mod- 
ifying signatures in the basic scheme of Schnorr [S91]. The scheme’s algorithms 
(SETUP, ASIGN, AVERIFY, VERIFY) are as follows: 

SETUP: On input a security parameter I, two large primes p and q are selected 
such that q\p — 1. These are published along with an element g of {X/pld)* 
of order q, where q is exponential in 1. The spaces S,T,M.,1C are defined as 
follows: S = T=Ijq and M. = /C={0, 1}*. Two cryptographic hash functions 
Hi,H 2 : {0,1}* ^ Zg are also selected and we define KGEN to be Hi. 
Private keys Xi,l < i < n are chosen uniformly at random from Z^, where 
n is polynomial in 1. The public keys are computed as Xi = g^* modp and 
are made public. 

ASIGN: This algorithm takes as input {Xi,Xj,Xi,h 2 ,M), where Xi,Xj ^ Xi 
are public keys, Xi € Z^ is the private key corresponding to Xi, h 2 € IF and 
M G Af is a message. The algorithm picks a random value t G Zg and then 
computes the values: 

h = H 2 {g*Xj’^^ mod p\\M), 
hi = h — h 2 mod q, 
s = t — hiXi mod q. 

Here “||” denotes concatenation. The algorithm outputs cr = (s, ft- 1 ,^- 2 ) • 
AVERIFY: This algorithm takes as input (cr, Xi, Xj, M) where a = (s, hi, h 2 ), 
s G S, hi, h 2 G T, Xi and Xj are public keys, and M G M. is & message. 
The algorithm checks that the equation 

hi + h 2 = H 2 {g'' X^^ X^'^ mod p \\M) mod g 

holds, and if so, outputs accept. Otherwise, it outputs reject. 

VERIFY : This algorithm is defined in terms of KGEN and AVERIFY, as in 
Section 2.1. 

The ASIGN algorithm is a direct modification of the ring signature algorithm 
of [AOS02], and guarantees our property of ambiguity before the keystone is 
revealed. We require that Xj ^ Xi since otherwise the signature would be a 
standard Schnorr signature [S91] and would not be ambiguous. It is also easily 
checked that the scheme satisfies the definition of correctness and that AVERIFY 
has the required symmetry property. 

A concrete concurrent signature protocol can be derived directly from the 
algorithms defined above and the generic protocol in Section 2.2. 
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5 Security of the Concrete Concurrent Signature Scheme 

We now state some security results for the concrete scheme of Section 4. The 
proofs of Lemmas 1 and 3 are proved in Appendix A. The proof of Lemma 2 is 
routine, and the details are left to the reader. Our proofs of security are in the 
random oracle model [BR93]. 

Lemma 1. The concurrent signature scheme of Section 4 is existentially un- 
forgeable under a chosen message attack in the random oracle model, assuming 
the hardness of the discrete logarithm problem. 



Lemma 2. The concurrent signature scheme of Section 4 is ambiguous in the 
random oracle model. 



Lemma 3. The concurrent signature scheme of Section 4 is fair in the random 
oracle model. 



Theorem 1. The concurrent signature scheme of Section 4 is secure in the 
random oracle model, assuming the hardness of the discrete logarithm problem. 

Proof. The proof follows directly from Lemmas 1, 2 and 3. □ 

6 Extensions and Open Problems 

6.1 The Scheme Can Use a Variety of Keys 

Our concurrent signature scheme can be based on any ring signature scheme, as 
long as it is compatible with the keystone fix idea. Thus it is feasible to build 
concrete concurrent signature schemes using a variety of key types, and therefore 
the security of such schemes may be based on a variety of underlying hard 
problems. Furthermore, the key pairs in a single concurrent signature scheme 
do not have to be of the same type. The techniques to be used for achieving 
concurrent signatures from a variety of keys are the same as the key separability 
techniques for ring signatures as described in [AOS02]. 

6.2 The Multi-party Case 

It would be interesting to see if concurrent signatures could be extended to the 
multi-party case, that is, where many entities can fairly exchange signatures 
concurrently. The existing two party scheme can trivially be extended to include 
multiple matching signers. However we do not as yet have a model for fairness 
for such a scheme. It would also be interesting to investigate methods whereby 
the revelation of keystones did not depend entirely on the initial signer, but on 
the other signing parties as well. 
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7 Conclusion 

We introduced the notion of concurrent signatures, presented a concurrent sig- 
nature scheme and related its security to the hardness of the discrete logarithm 
problem in an appropriate security model. We have also discussed some appli- 
cations for concurrent signatures, and the advantages they have over previous 
work. In particular, we have compared concurrent signatures to techniques for 
fair exchange of signatures, and presented some applications in which the full 
security of fair exchange may not be necessary and the more pragmatic solution 
of concurrent signatures suffice. 
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Appendix A 

Proof of Lemma 1. The proof is similar to the proof of unforgeability of the 
Schnorr signature scheme [S91] by Pointcheval and Stern [PS96], and makes use 
of the forking lemma [PS96,PS00]. 

The Forking Lemma [PS96, PSOO]: The forking lemma applies in particular to 
signature schemes which on input a message M produce signatures of the form 
(ri, h, r 2 ) where ri takes its value randomly from a large set, h is the hash of M 
and ri, and T 2 depends only on r\,M and h. 
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The forking lemma in [PSOO] states that if if is a polynomial time Turing 
machine with input only public data, which produces, in time r and with proba- 
bility 77 > 10 ( 7 ts-|-l)(/ts-|-/t)/ 2 * (where I is a security parameter) a valid signature 
(to, ri, /i, T 2 ), where ^ is the number of hash queries, and is the number of 
signature queries, and if triples ri , to, T 2 are simulatable with indistinguishable 
probability distribution without knowledge of the secret key, then there exists 
an algorithm A, which controls E and replaces E’s interaction with the signer 
by the simulation, and which produces two valid signatures h,r 2 ) and 

(to, ri, /i', r^) such that h ^ h' in expected time at most t' = 1206867isr/?7. 

Firstly, we note that our concurrent signature scheme in Section 4 on input 
a message M, public keys Xi and Xj and a value ft- 2 , produces signatures of 
the required form (ri,h,r 2 ), where ri = g*Xj modp which takes its values 
randomly from Zg, h = h\ + h2 is the hash of M and ri, and r2 = s depends on 
ri, M and h. Although the actual output of the signature is the tuple (s, hi, / 12 ), 
the values ri,h and r 2 can easily be derived from the output. We also note 
that if by the forking methodology, we have two valid signatures (ri, h, T2) and 
{r\,h' , r'2) on the same message M with h ^ h' , then provided that the value ft -2 
is computed before the relevant i ?2 query, then this would be equivalent to two 
concurrent signatures (s, ft- 1 ,^- 2 ) and (s',ft^,ft 2 ) with hi yf ft^. 

We suppose that Hi and H 2 are random oracles, and suppose there exists an 
algorithm E who is able to forge concurrent signatures. So we assume that E is 
an attacker that makes at most /ii queries to the random oracles Hi,i = { 1 , 2 }, 
at most g,s queries to the signing oracle, and wins the unforgeability game of 
Section 3.2 in time at most r with probability at least 77 = \Q{g,s + l){gis + ^-2) / q, 
where q is exponential in security parameter 1. 

We show how to construct an algorithm B that uses E to solve the discrete 
logarithm problem. B will simulate the random oracles and the challenger C in 
a game with E. B’s goal is to solve the discrete logarithm problem on input 
{g, X,p, q), that is to find x G Zq such that g^ = X mod p, where g is of prime 
order q modulo prime p. 

Simulation: B gives the parameters (g,p,q) to E. B generates a set of par- 
ticipants U, where \U\ = p{l) and p is a polynomial function of the security 
parameter 1. Each participant has a public key Xi and private key Xi. B guesses 
that E will choose Xa in the position of Xc in its output. B sets A„ = X, and 
for each i ^ a, xi is chosen randomly from Zg, and B sets Xi = g^' mod p. E 
is given all the public keys Xi. B now simulates the challenger by simulating all 
the oracles which E can query as follows: 

iTi-Queries: E can query the random oracle Hi at any time. B simulates the 
random oracle by keeping a list of tuples (Mj, n) which is called the ftfi-List. 
When the oracle is queried with an input M G {0, 1}*, B responds as follows: 

1. If the query M is already on the ifti-List in the tuple {M,ri), then B 
outputs Ti. 

2. Otherwise B selects a random r G Zg, outputs r and adds {M,r) to the 
ifti-List. 
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Jf2-Queries: E can query the random oracle H 2 at any time. B simulates the 
H 2 oracle in the same way as the Hi oracle by keeping an i/ 2 -List of tuples. 
KGen Queries: E can request that the challenger select a keystone k G K, 
and return a keystone fix / = Hi{k). B maintains a K-List of tuples {k, /), 
and answers queries by choosing a random keystone k G 1C and computing 
/ = Hi{k). B outputs / and adds the tuple (fc, /) to the K-List. Note that 
K-List is a sublist of iLi-List, but is required to answer KReveal queries. 
KReveal Queries: E can request the keystone of any keystone fix / G IF 
produced by a previous KGen Query. If there exists a tuple {k, f) on the 
K-List, then B returns k, otherwise it outputs invalid. 

ASign Queries: B simulates the signature oracle by accepting signature queries 
of the form {Xi, Xj,li 2 , M) where /12 G X, Xi and Xj yf Xi are public keys, 
and M G M is the message to be signed. If Xi yf Xa then B computes the 
signature as normal and outputs cr = (s, ft-i, ft- 2 ) = ASIGN (A^, Xj,Xi,li 2 , M). 
If Xi = Xa then B answers the query as follows: 

1. B picks a random h\ and s in Z^, computes T = g^X^^X^^ mod p, and 
forms the string “T||M”. 

2. If h = hi + }i 2 is equal to some previous output for the H 2 oracle, or if 
“T||M” was some previous input, then return to step 1. 

3. Otherwise add the tuple (T\\M,h) to the iL 2 -List. 

4. B outputs a = {s,hi,h 2 ) as the signature for message M with public 
keys Xi and Xj. 

Private Key Extract Queries: E can request the private key for any public 
key Xi. If Xi = Xa, then B terminates the simulation with E having failed to 
guess the correct challenge public key. Otherwise B returns the appropriate 
private key Xi. 

Output: Finally, with non-negligible probability, E outputs a signature a = 
(s, hi, /) where s G S, hi, f G T, along with public keys Xc and Xd, and a 
message M G M, where AVERIFY((s, ft-i, /), Ac, A^, M)= accept, and one 
of the following two cases holds: 

1. No ASign query with input either of the tuples (Ac, Xd, f, M) or 

{Xd, Ac, hi, M) was made by E, and no Private Key Extract query was 
made by E on either Ac or Xd- 

2. No ASign query with input (Ac, Aj, /, M) was made by E for any Aj yf 
Ac, Ai Ghi, no Private Key Extract query with input Ac was made by 
E, and either / was a previous output from a KGen query or E produces 
a keystone k such that / = KGEN(/c). 

It is easy to show that case I of the output conditions can occur only with 
negligible probability 5. This follows immediately from the unforgeability of the 
underlying ring signature [AOS02], assuming the hardness of the discrete log- 
arithm problem. An outline of the ring signature unforgeability proof is given 
in [AOS02], hence we omit the details here. Since the adversary wins the game 
with non-negligible probability, we assume that case 2 must have occurred. 

If Ac yf Aq, then B aborts, having failed to guess the correct challenge 
public key. Henceforth, we assume that Ac = Aq, = A (this occurring with 
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probability l/p(0 where p is a polynomial function). Given that B does not 
abort for any reason, it can be seen that, because of the way B handles oracle 
queries, the simulation seen by E is indistinguishable from a real interaction 
with a challenger. 

Because in case 2 algorithm AVERIFY with E's signature as input returns 
accept, we have the equation h = h\ + J = H2{g^Xj^^X^ modp \ \M). We now 
analyze two further cases. 



Case 1. We recall that we can rewrite the signature above in the form (ri, h, r2). 
If h = hi + f has never appeared in any previous signature query before, then 
by the forking lemma, B can repeat its simulation so that E produces another 
such signature (ri, /i', r^), with h ^ h' . 

Note that E has in fact produced two signatures cr = {s,hi,f) and a' = 
{s', h'i,f'), with h = h\ + f ^ h'l + f = h'. If h\ = h'^, then B aborts. However, 
if hi = h'l, then the hi values must have been computed before the relevant 
H2 queries (which produced h and h'), or hi and h'l are independent of h and 
h' respectively. Also, if hi = h'l, then / yf /', so these values must have been 
computed after the relevant H2 queries, and satisfy the equations / = h — hi 
and f = h' — h'^. But we know that / is also an output of Hi, either from a 
direct Hi query, or via a KGen query, and the probability that an output from 
Hi query matches (some function of) an output from some H2 query is at most 
fi2gi/q- This is negligible, so we assume that / = /', and therefore that hi yf h'l- 

Now, since h and h' resulted from different oracle queries on the same input, 
we know that g"X^^X^ = 5® X^^X^ mod p. So taking the exponents from both 
sides we get s + xhi = s' + xh'i mod q. Since hi ^ h[, B can now solve for x, 
the discrete logarithm of X, using the equation x = 77^^ mod q. 

So in Gase 1, the probability that B does not have to abort at some point in 
the simulation is at least 



^ /'I \ 



which is non-negligible in security parameter 1. So B solves the discrete logarithm 
of X by the forking lemma, in expected time at most r'/y = 120686 /Xst/ 777. This 
contradicts the hardness of the discrete logarithm problem. 



Case 2. However suppose that h = h' , where h' = h'^ + /' was the output 
in some previous signature query {Xc', Xd> , f' , M'). Say the previous signature 
was o' = {s', h'l, f) with public keys Xc> and Xd' on message M' . Now h = 
H2{g"X^^X^^ modp||M), h' = H2{g"’ X^2 X^^, modp||M') and h = h' . If the 
inputs to H2 are not equal, then B aborts. This occurs with probability p2ps/q- 
Otherwise we have that the inputs to the random oracle are equal, so M = M' 
and g^X’^^X^ = g" X^2 X^, mod p. 

If Xc',Xd' yf A, or Xc' = A or A^/ = A but their exponents are different 
(e.g. if Ac' = A but h'l yf hi), then it is easy to see that B can extract x directly 
from the equation p®A^^Aj = p® A^,“^aJ, modp. 
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However suppose that either = X or X^i = X, and their exponents are 
equal. If Xc> = X and h[ = hi, then since hi + f = h[ + f, we have that /' = /. 
But this is impossible since it contradicts the assumption that no tuple of the 
form {Xc, Xi, /, M) was queried on the signing oracle before. 

If Xd' = X and h\ = f , then / = h\, where h'l = h! — f was generated 
in a previous signature query, and is determined by the outputs of the random 
oracles Hi and Hi. But we know that / is also a direct output of Hi, perhaps 
via a KGen query. However the probability that an output from Hi matches an 
h'l from some signature query is nifis/Q- This probability is negligible and if this 
case occurs, then B aborts. 

So for Case 2, the probability that B is not forced to abort at some point is 
at least 



/I r'l 1 /I hrhs\ 



which is non-negligible in security parameter Z. If H is not forced to abort, then 
B can solve the discrete logarithm of X directly from E's output. Our analysis 
therefore shows that in Case 2, B can extract the discrete logarithm of X within 
expected time at most r/y. This again contradicts the hardness of the discrete 
logarithm problem. □ 



Proof of Lemma 3. We suppose that Hi and Hi are random oracles as before, and 
suppose that there exists an algorithm E that with non-negligible probability 
wins the game in Section 3.4. In this game, the challenger runs the SETUP 
algorithm to initialize all the public parameters as usual, choosing all the private 
keys Xi randomly from , generating the public keys as Xi = g'"' mod p, and 
giving these public keys to E. Also as part of this game, C responds to Hi, Hi, 
KCen and KReveal queries as usual, and responds to ASign and Private Key 
Extract queries using its knowledge of the private keys. 

In the final stage of the game, E chooses challenge public keys Xc, Xd and 
with non-negligible probability 77 outputs keystone k and S = {a, Xc, Xd, M) 
with a = (s, hi, f) for which one of the following cases holds: 

1. / was a previous output from a KCen query, / was not queried on the 
KReveal oracle, and {k,S) is accepted by VERIFY. 

2. E also produces S' = {a' , Xd, Xc, M'), where a' = {s' , h'l, f) is an ambiguous 
signature on M' with public keys Xd, Xc, both S and S' are accepted by 
AVERIFY, {k, S) is accepted by VERIFY, but {k, S') is not accepted by 
VERIFY. 

We now analyse E’s output. 



Case 1. Suppose case 1 of the output conditions occurs. Then E has found a 
keystone k and an output of a KCen query / such that / = Hi{k), but without 
making a KReveal query on input /. However, since Hi is a random oracle, A’s 
probability of producing such a fc is at most pipi/q, where pi is the number of 
Hi queries made by E and pi is the number of KGen queries made by E. Since 
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both /ii and are polynomially bounded in the security parameter I and q is 
exponential in I, this probability is negligible. This contradicts our assumption 
that E wins the game with non-negligible probability. 

Case 2. Suppose case 2 of the output conditions occurs. Since S is accepted by 
AVERIFY and {k, S) is accepted by VERIFY, we must have KGEN(fc)=/. But 
then, since S and S' share the value /, we must also have that {k, S') is accepted 
by VERIFY. This is a contradiction. □ 
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Abstract. For the last two decades the notion and implementations 
of proxy signatures have been used to allow transfer of digital signing 
power within some context (in order to enable flexibility of signers within 
organizations and among entities). On the other hand, various notions of 
the key-evolving signature paradigms (forward-secure, key-insulated, and 
intrusion-resilient signatures) have been suggested in the last few years 
for protecting the security of signature schemes, localizing the damage 
of secret key exposure. 

In this work we relate the various notions via direct and concrete secu- 
rity reductions that are tight. We start by developing the first formal 
model for fully hierarchical proxy signatures, which, as we point out, 
also addresses vulnerabilities of previous schemes when self- delegation 
is used. Next, we prove that proxy signatures are, in fact, equivalent to 
key-insulated signatures. We then use this fact and other results to es- 
tablish a tight hierarchy among the key-evolving notions, showing that 
intrusion-resilient signatures and key-insulated signatures are equivalent, 
and imply forward-secure signatures. We also introduce other relations 
among extended notions. 

Besides the importance of understanding the relationships among the 
various notions that were originally designed with different goals or with 
different system configuration in mind, our findings imply new designs 
of schemes. For example, many proxy signatures have been presented 
without formal model and proofs, whereas using our results we can em- 
ploy the work on key-insulated schemes to suggest new provably secure 
designs of proxy signatures schemes. 



1 Introduction 

Characterizing relationships among cryptographic notions is an important task 
that increases our understanding of the notions and can contribute to con- 
crete designs. In this work we look at two paradigms, proxy signatures and 
key-evolving signatures, that were suggested at different times for totally dif- 
ferent purposes. After developing the first formal model for fully hierarchical 
proxy signatures and addressing a vulnerability in previous proxy schemes, we 
prove that proxy signatures are equivalent in a very strong sense to key-insulated 



C. Cachin and J. Camenisch (Eds.): EUROCRYPT 2004, LNCS 3027, pp. 306—322, 2004. 
@ International Association for Cryptologic Research 2004 




The Hierarchy of Key Evolving Signatures 307 



signatures (one of the key-evolving notions). We also relate the various notions 
within the key-evolving paradigm, that were originally suggested for different 
system architecture settings and adversarial assumptions, establishing a tight 
hierarchy among them (tight in the sense of no security loss in the reductions). 
In the rest of the introduction we elaborate on these primitives, our results, and 
their significance. 



Proxy Signatures and Our Contributions in Modeling them. The paradigm of 
proxy signature is a method for an entity to delegate signing capabilities to other 
participants so that they can sign on behalf of the entity within a given context 
(the context and limitations on proxy signing capabilities are captured by a 
certain warrant issued by the delegator which is associated with the delegation 
act). For example, Alice the executive might want to empower Bob the secretary 
to sign on her behalf for a given week when Alice is out of town. Such proxy 
capability transfer may be defined recursively to allow high flexibility in assigning 
limited entitlements. The notion is motivated by real life flexibility of “power of 
attorney” and other mechanisms of proxy. 

The notion has been suggested and implemented in numerous works for about 
20 years now: one of the early works to be published was presented in [6] , whereas 
for a cryptographic treatment see [14]. Most of the past work is informal and 
without complete proofs. The first (and to the best of our knowledge, only) work 
to formally define the model of proxy signatures, is the recent work of Boldyreva, 
Palacio, and Warinschi [3]. Their definition is of proxy signature, with only one 
level of delegation, and without using the warrants as part of the model (though 
warrants are used in the common scheme of delegation by certificate, a notion 
that was analyzed by [3]). 

We provide the first definition of fully hierarchical proxy signatures with war- 
rants, supporting chains of several levels of delegation. Furthermore, the fully 
hierarchical approach illuminates an important aspect of proxy signatures, re- 
garding self-delegations, which was previously overlooked. Specifically, we iden- 
tify a vulnerability in previous solutions (both in existing proxy signature im- 
plementations such as the delegation by certificate, and in the formal model 
which rendered them secure). This weakness, which results in enabling a dele- 
gatee to possibly take “rogue actions” on behalf of a delegator, does not exist in 
our model, and we point out how the delegation by certification implementation 
(and other schemes with the same problem) can be modified in a simple way so 
as to avoid such attacks, and satisfy our strong notion of security. 



Key Evolving Signatures. The paradigm of key evolving signatures started with 
Anderson’s suggestion in [1], towards mitigating the damage caused by key ex- 
posure, one of the biggest threats to security of actual cryptographic schemes. 
Indeed, if the secret key in a standard signature scheme is exposed, this allows for 
forgery, invalidation of past and future signatures, and thus repudiation through 
leaking of the secret key. To limit the damage, the key evolving paradigm splits 
the time for which the signature is valid (say, 5 years) into well defined short 
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periods (say months, days, or a period per signature, as required by the applica- 
tion). The secret key can then evolve with the periods (see details below), while 
maintaining the same public key. This idea gave rise to three well-defined notions 
of protection against key exposure, compartmentalizing the damage. The three 
notions have different configurations and different adversarial settings, achieving 
different properties: 

1. Forward-Secure Signature Schemes (FS) [1,2]: Here the system is comprised 
of a single agent holding the private signing key, and at each period the key is 
evolved (via a one-way transformation) so that the exposure does not affect 
past periods. This notion has the advantage that even if all the key material 
is completely exposed, past signatures are still valid, and cannot be forged 
or repudiated. On the other hand, such a complete exposure necessarily 
compromises the validity of all future signatures, and the public key cannot 
be used any more. 

2. Key-Insulated Signature Scheme (KI) [5]: Here the system is made out of 
two entities: the signer and a helper (base). At the start of the period the 
signer is updated by the helper to produce the next period’s key. The helper 
is involved only in the updates. In fact, the helper can give the signer access 
to any period at any time (random access capability). The exposure of up 
to t of the N periods, chosen adaptively by the adversary, still keeps any 
period that was not exposed secure. The limitation of necessarily exposing 
all future keys, as in forward security does not apply anymore; this limitation 
is removed by the introduction of the helper (base) which is never exposed. 
The optimal t achieved by some of the schemes is — 1 where the remaining 
period is still secure. Note that here the keys at the helper and the signer 
are not forward-secure. This model was first considered in [4]. We remark 
that the notion of strong KI which protects the signer from the helper is 
irrelevant here (and there is a simple transformation from KI to strong KI). 

3. Intrusion- Resilient Signature Scheme (IR) [9]: Here the scheme is also made 
out of a signer and a helper (base). Now the exposures of both the helper 
and the signer are allowed. If the exposure is alternating (i.e., at each pe- 
riod at most one of the signer or the helper is exposed) then the scheme 
remains secure for all unexposed signing periods. If the exposure is of both 
the helper and the signer simultaneously, then the system becomes forward- 
secure from that period on: the past is protected (excluding the periods 
where the signer was directly exposed) but the future is now necessarily in- 
secure. Note that unlike KI, this notion allows exposure of the helper, and 
that both the helper’s key and the signer’s key are forward-secure. 

Our Reductions: A Characterization of Proxy Signatures, and The Hierarchy 
of Key Evolving Signatures. Our goal is to explore the relations among the 
key evolving signature notions and proxy signatures, towards gaining a better 
understanding of the primitives, and obtaining practical constructions. From a 
complexity-theoretic point of view, one can establish equivalences using the fact 
that these notions have implementations based on a generic signature scheme 
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(typically less efficient than implementations based on specific number theoretic 
assumptions). For example, see the generic constructions of [2,12,5,7] for key 
evolving signatures, and the delegation by certificate scheme for proxy signatures 
that was suggested with different variations in numerous works (see Section 2.1). 
Thus, the notions are equivalent to the existence of one-way functions in terms 
of computational assumptions [15,16]. However, our goal is to establish direct 
reductions, both from a practical point of view (namely, given an implementation 
of one primitive, construct the other primitive using the first almost “as-is” , 
with a straight-forward and efficient transformation), and from a theoretical 
point of view: analyzing the efficiency and the concrete security guarantees. In 
particular, we consider direct reductions between paradigms so that there is a 
concrete security evaluation of one scheme based on the concrete security of the 
related scheme to which it is reduced, while minimizing the loss of the concrete 
security value, and minimizing overhead in efficiency. Under this notion of direct 
reduction we found that: 

~ Proxy signatures are equivalent to KI signatures. In particular, we show that 
proxy signatures imply KI signatures via a tight reduction achieving the same 
concrete security, and that KI signatures imply proxy signatures via a tight 
security reduction. Our characterization of proxy signatures immediately 
provides a suite of provably secure proxy signature schemes, based on the 
previous (and future) schemes for KI signatures. For example, all the schemes 
of [5] can be used, including the efficient ones based on trapdoor-signature 
schemes, and their instantiations (based on RSA, identity-based signatures 
from the Gap Diffie-Hellman group, etc.). This is a significant contribution, 
since only few provably secure proxy schemes were known before (e.g., [3] 
for the non-hierarchical case) . 

— We show a direct and tight hierarchy for key evolving signature schemes. 
Specifically, we show that IR implies KI implies FS, and KI implies IR with- 
out loss in concrete security. The implication KI ^ FS was left as an open 
problem in [5] , and our proof of it utilizes our result about the equivalence of 
KI and proxy signatures.^ Note that while proving IR^ FS is trivial, relat- 
ing them to KI is not. For example, the naive approach of unifying the signer 
and helper of the KI model into the single signer entity of the FS model, 
does not work. This is because the keys of the signer and helper together 
are not forward-secure, by definition. In fact, the opposite is true since the 
helper keys with the signing key for any period should be able to provide 
the signing key for all other periods through the random-access property. 

The relationships we establish are summarized in Figure 1 on the left side. In 
addition, on the right side is a diagram summarizing our technical results which 
are employed in the derivation of these relationships, showing the structure of our 
proofs (and may be helpful to obtain the best constructions from an engineering 

^ Once we established this result through the connection to proxy signatures, we also 
succeeded in showing that KI ^ IR, which together with the trivial IR ^ FS gave 
an alternative proof that KI ^ FS directly within key evolving signatures. 
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Fig. 1. The left diagram is a summary of our main results, and the right diagram 
is a summary of our technical reductions used to established them. 



point of view). In particular, we introduce an intermediate notion between IR 
and KI, denoted KI-FS, which has helped us to conceptualize the IR ^ KI 
relation (and it may be of independent interest for certain applications). The 
dashed line refers to the trivial implication of FS from IR, which together with 
our result that KI implies IR gives an alternative proof that KI implies FS. We 
believe that directly relating proxy signing (which is a trust management and 
flexibility mechanism) to that of key evolving signatures (which are mechanisms 
to protect against key exposure attacks) is somewhat surprising and conceptually 
interesting. This was also a crucial step in answering the question about the 
relation between KI and FS, a recognized open question about seemingly closer 
notions. 

Organization We provide the definitions for proxy signature schemes in Sec- 
tion 2.1, together with motivations and discussions of the model. This includes 
the differences and generalizations of our model compared with the previous 
single-level model, the weakness of previous schemes, how it is addressed by our 
model, and how to modify previous schemes to achieve security. In Section 2.2 
we briefly review definitions for the key-evolving notions of IR, KI, and FS. In 
Section 3 we present the characterization of proxy signatures as equivalent to 
KL Finally, in Section 4 we present the hierarchy of key evolving signatures, 
by showing that IR implies KI (which is a consolidation of our proofs that IR 
implies KFFS and that KI-FS implies KI, given in the full version), KI implies 
IR, and by showing that Proxy implies FS (and therefore KI implies FS). 

2 Definitions of Proxy Signatures and Key Evolving 
Signatures 

2.1 Proxy Signature 

Model Proxy signature scheme TTps = (Genps, Signp5, Vrfyps, (Dlg^pg, DIgppg), 
PSigps, PVrfps, IDps) consists of the following eight algorithms. 

Genps, the key generation algorithm, which takes security parameters A: G IN 
as input, output an signing key SK and a public key PK . 



The Hierarchy of Key Evolving Signatures 311 



Sigrip 5 , the signing algorithm, which takes a signing key SK and a message M 
as input, outputs a signature sig on M. 

Vrfyp 5 , the verification algorithm, which takes the public key PK, a message 
M, and a candidate signature sig as input, outputs a bit 6, where 6 = 1 if! 
the signature is accepted. 

(Dlgops, DIgppg), (interactive) proxy-designation algorithms (where Dlg^pg and 
DIgppg are owned by the designator iL-i and the proxy signer z^, respec- 
tively.) 

Dlgops takes public keys of a designator PKi^_^ and a proxy signer PKi^, 
the signing key of which the designator delegates its signing right (i.e., the 
signing key is either a signing key SKi^_^ or a proxy signing key SKPi^..^i^_-^ 
depending on whether zl-i is original signer or proxy signer), a warrant up 
to previous delegation Wl-i and a warrant ujl set in current delegation as 
inputs. Dlgppg has no local output. Note that the warrant usually contains 
the information on “valid period” , “limitation” , etc. We say that a message 
violates a warrant if the message is not compliant with the contents of the 
warrant. 

DIgppg takes public keys of a designator PKi^_^ and a proxy signer PKi^, 
the secret key of the proxy signer SKi^ as inputs and outputs a proxy signing 
key SKPig..^i^ and a warrant Wl- Note that no secret key is given when the 
type of the designation is “self delegation” in which the designator designates 
its signing right to itself with limited capability^. 

PSigps , the proxy signing algorithm, which takes a proxy signing key SKPi^..^i ^ , 
a message M and a warrant W as input, outputs a proxy signature psig. 

PVrfps, the proxy verification algorithm, which takes a public key PKi^^ of the 
original designator, a message M, a warrant W, and a proxy signature psig 
as input, outputs a bit b, where 6 = 1 iff the proxy signature is accepted. 

ID PS, the proxy identification algorithm, which takes a warrant W and a proxy 
signature psig as input, outputs a list of identity (i.e., public key) PK* in 
the delegation chain. 



Correctness: We require that all message M and any delegation chain jo ^ 
J 2 ^ ••• ^ 3L, PVrfps(Pif,„,M,WL,PSigps(5'K'P,„__„^,M,Wi)) = 1 and 
IDps(VP, PSigps(5'/!rPio__„^, M, Wl)) = {PKi^, . . . , PK,^) if the proxy signing 
key SKPig..^i^ and the warrant Wl is the output of consecutive executions of 






DlgDps(EiCi,_i ,PKi^ ,Wi-i,u,i), 

D\gops(PKi,_,,PK,^,SK,,) 

does not violate the warrant Wl- 



and the message M 



Definition of Security Let be a probabilistic polynomial-time oracle Turing 
machine with the following oracles: 

^ This is significant since if the proxy signer (or device) has the original signing key 
in self delegation it is impossible for the designator to limit the signing capability of 
the proxy signer. 
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— Osig, the signing oracle, which 

1. on input outputs Signp 5 M). 

2. on input (“p” , Af, (ji, J l), kh), outputs PS\gps{SKP M,W). 

— Osec, the key exposure oracle, which on input 

1 . ( “s” , j ) , outputs ( SKj , PKj ) . 

2. (“sd”, j, L, (wi, . . . , wl_i)), outputs the pair of self proxy signing key and 
the warrant {SKPj..^j,W) where the length of the delegation chain is 
L. 

— Ooig, the designation oracle, which 

1. on input (“d”, (ji, . . . , jl, kk, w)), interacts with D\gpp^{PK PK 

SK,,) on behalf of DlgDps(Pik,,_, , PK ,, , , kk, o.). 

2. on input (“p”, (?i, ■ • ■ , 7 l)), interacts with Dlgnpc(Pik,> , Pik,, , 
SKPj,..,j^_,, W,uj) on behalf of D\gpp^{PKj^_„ PKj^, SKj^). 

Let Q = {Qseci Qoig) where Qsec and Qoig be the set of P’s valid query to the key 
exposure oracle and designation oracle, respectively. We say that the scheme is 

— (j, Q)-signable if and only if (“s”, j) G Qsec- 

— ((ji, . . . , ji), kk, Q)-proxy-signable if and only if either of the following holds 

1. (“s”, j) G Qsec (for all j such that 1 < j < L) 

2. there exists L'{< L) such that 

. (“d”,(jl,...,jLqW',0.')) GQDIg 

• kk', iW' ,uj') do not contradict kk 

• ii = ji-i or (“s”, j/) G Qsec (for L' < I < L) 

3. there exists L'{< L) such that 

• Ji = and (“sd”,L',(u;i,...,a;L/_i)) G Qsec 

• oji do not contradict kk 

• ji = ji-i or (“s”, jj) G Qsec (for V <1<L) 

Let Succp^^(k) be defined as follows, 

Succp''^{k) = 

r ((t=(M,s,PP) AVrfyps(PP,M,s) = l) V {SKj,PKj)^Genps{l’^)' 
{a={M,W,ps, PK) A PVrfps (Pik, M,ps) = 1) a ^ pOs,g,Osec,ODig(^ik^ 

where 

— M is never queried to Osig and the scheme is not (j, Q)-signable if cr = 
(M,s,PKj). 

— {{ii, . . . Ql), M,W) is never queried to Osig and the scheme is not 
((ii, . . . , ii), kk, Q)-proxy-signable if (“s”,ii) ^ Qsec where a = {M,W,ps, 
PK) and IDps(W,ps) = {PKi „. . . , PP,J. 

We say Tips is (r, e, (/(-secure proxy signature if Succp^^(k) < e for any proba- 
bilistic polynomial time Turing machine F with running time at most r and the 
number of the queries to Osig is upper bounded by q. 
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Discussion: Delegation by Certificate, and the Self-delegation At- 
tack Delegation by certificate is a well-known simple notion. It achieves 
delegation by the fact that the delegator computes a warrant W = 
Sign(SKd, (PKp, limitation)) with its secret key where SKd is the secret 
key of the delegator and PKp is the public key of the proxy signer. The 
proxy signer can computes a proxy signature ps for the message M simply by 
ps = Sign(5'Ap, {W, M)). 

Delegation by certificate works well in many setting, however, we must be 
aware that a naive implementation leads to an attack, even on the delegation by 
certificate scheme. Specifically, we must take care of implementing self- delegation 
securely. For example, the scheme in [3] is not secure under our security defi- 
nition, and it can be easily broken simply by querying (“sd”,2,/l) from the 
Qsig oracle (we will use A to denote null data.) Since the scheme of [3] is con- 
structed in such a way that the proxy signing key is exactly the same as the 
original signing key of the proxy signer even in the case of self-delegation, an 
adversary can forge (non-proxy) signature for any message simply by querying 
the self-delegation signing key. We must carefully consider the meaning of the 
self-delegation, which is usually used for delegating limited signing capability. 

The model proposed in [3] also possesses the problem of self-delegation. 
Namely, the oracles defined by [3] only allows giving transcript of DIgQpg and 
DIgpps- Therefore, there is no way for the adversary to get the self-delegation 
key. This is not the case in real life since self-delegation is needed when the sign- 
ing key is stored in insecure environment (e.g. laptop PC get delegation from 
a host). Therefore, the scheme must be secure even if the self-delegation key is 
exposed. In contrast, our model allows the adversary to gain self-delegation keys 
to reflect this real life setting. Our implementation of proxy signature based on 
KI also takes care of this problem. Namely, in our implementation, new key pair 
is always generated in self-delegation, which prevents the attack above. 

In defining the model of proxy signatures the most crucial point is how to 
treat the semantics of the warrant since the warrant usually contains application 
specific information. Therefore, in the model level, it is desirable not to define 
the detailed semantics. In our model no semantics is defined for the warrant, 
it is only defined as input and output of the algorithm and a messages can be 
in agreement or in violation with the warrant. Further, not having access to a 
warrant prevents the usage of the delegated key, which is part of our model. 

We also note that, in the general case, the chain of warrants may have ar- 
bitrary information in it and one needs to read it to understand whether a 
message is in agreement with the warrant. In this cases the length of verification 
of a proxy signature must be linear in the size of the delegation chain. (Of course, 
if warrants are of special semantics, e.g if they are not present at all, then this 
may be improved, e.g using aggregate signatures as suggested by [3].) 

2.2 Definitions of Key-Evolving Signatures 

In this section we briefly review the definition of key-evolving signatures. These 
definitions are the same ones as introduced in the original papers, except that 
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we unify them following the notations of [9]. The complete definition of each 
notion is given in the full version of this paper [13]. 



Model The three key-evolving signature notions, Forward-Secure signatures 
(FS), Key-Insulated signatures (Kl), and Intrusion-Resilient signatures (IR) con- 
sist of subsets of the following seven algorithms, as indicated below. 

Gen, the key generation algorithm, which takes security parameters fc S IN and 
the total number of periods N as input, outputs an initial signing key SKq 
and public key PK. Gen also outputs initial key for the helper (base) SK* 

in Kl and IR. 

Upd*, the update algorithm of the base, which takes a base key SK* as inputs, 
key update message SKU. Key update message is used to update the signing 
key of the signer SK. In Kl, indices i,j is also taken as input where i denotes 
the current time period of SK and j denotes the time period of SK after 
update. In IR, base key is also updated by Upd*. 

Upd, the signer key update algorithm, which takes a signer key SKi of the 
previous time period i and a key update message SKU, outputs the signer 
key SKj of the time period j. In IR, j is always i + 1 whereas, in Kl, i and 
j can be chosen arbitrary within the condition Q <i,j < N. 

Refr*, the base-key refresh algorithm, which takes a base key SK* of the current 
time period, outputs new base key of the current time period and a key 
refresh message SKR. Only IR has Refr*. 

Refr, the signer-key refresh algorithm, which takes a signer key SK of the current 
time period and a key refresh message SKR, outputs new signer key of the 
current time period. Only IR has Refr. 

Sign, the signing algorithm, which takes a signer key SKj, an index of a time 
period j and a message M as input, outputs a signature (j, sig) on M for 
time period j. 

Vrfy, the verification algorithm, which takes the public key PK , a message M, 
a pair (j, s), outputs a bit b, where 6 = 1 iff the signature is accepted. 

FS consists of four algorithms TTps = (Genps, Updpg, Signpg, Vrfypg), Kl consists 
of five algorithms 77 ki = (GenKi, Upd[(|, Upd^i, Signal, N/rfy^i) and IR consists of 
seven algorithms II, ^ = (GeniR, Updj*p, Upd|p, Refrfp, RefriR, Sign|p, Vrfyip), with 
appropriate (and natural) correctness requirements. 



Definition of Security To define the definition of security, we consider a prob- 
abilistic polynomial-time oracle Turing machine F with the following oracles: 

— Osig, the signing oracle, which take the message M the time period i outputs 
the signature for M of the designated time period. 

— Osec, the key exposure oracle, which on input the name of the target key 
(e.g. signing key, base key, etc.) and the time period, outputs the key of the 
designated period. 
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Let Q be the set of valid key exposure query of F. Then the successful 
probability of the adversary Succp'"^{k) can be defined as follows, 

SucCp(fc)=Pr Vrfyp 5 (PiL, M, (z, s)) = 1 

where (M, i) is never queried to Osig and 

— (In FS), F never gets the signing key before the time period i. 

— (In Kl), F never gets the signing key of the time period i. 

— (In IR), F never gets the signer key of the time period i and F never gets 

the signer key and the base key simultaneously in time time period before i. 

We refer the reader to our full version [13] (and to the original papers [2,5,9]) 
for more complete definitions. 

3 Characterization of Proxy Signatures 

In this section we give the characterization of proxy signature. Namely, we prove 
that proxy signatures are equivalent to key-insulated signatures by constructing 
a key-insulated signature based on any proxy signature with concrete security 
reduction and vice versa. 

3.1 Proxy ^ (Af - l,Af) Kl 

We construct {N — 1,N) key-insulated signature as follows. The signing key of 
time period j corresponds to proxy signing key with delegation chain of length 
j -F 1. The important point is that the proxy signer is changed every time when 
the period changes, which prevents the attacker who gets the signing key of 
period j from forging the signature of the other periods. 

The complete construction of TTki = (GetiKi, Upd^,, Upd^i, Signal, 
VrfyKi) from proxy signature ilps = (Genps, Sigrips, Vrfypg, (Dlgpps, Dlgppg), 
PSigps, PVrfps, IDps) is as follows. 



(PF,5Fo)^Gen(l'=), 

(M, (Z, S)) ^ 



GeriKi(l^,fV) 

(5F(ps), PFI^S)) ^ Genps(l'=); ^ Genps(l'=); 

wf \D\gopsiPKT^\PKP,SKT^\A,A): 

^ Digpps(p/fr),p<s,_^) J; 

^ ^ {SKP^J‘% Wo); 

PP'(Ki) ^ 



output 
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(PK^f^\SKP) ^ 

W ^ A; 

for n = 0 to j do 

'D\gops{PKP\PK!^^\SKP,W,A), 

D\gppsiPK^f^\PK^^^\^) 



{SKP, W) 



(SKp\PKf^^) ^ Genps(l'=) 



{SKP, W) 



DigDPs , pkP , SKP, W, yl) , 

Dlgpps(PK(/^\PKf^\SKf^^) 



SK'.^P ^ (SKP,W); 



output SK{^j'^; 




Upd^,{SKf'\SK'iP) 




output SK'^j'^; 


Signal 


VAy^fPK^^'\M, (j,s)) 


{SKpZ%,W)^ SK^''>; 


PK^ ^ 


ps ^ PS\gps{SKPZ%,M,Wy, 


{W,ps)^s-, PK* ^\DZi\w,psy, 

if {PK* y^{PK^,...,PK^,-)) then 


output {j,{W,ps))-, 


output 0; i+i 

else 

output PVrfps(P7G*, M, W,ps); 



The following theorem holds for the above construction. 

Theorem 1. Suppose there exists {T\<,\,e\<^\,<i^,q^^)- Adversary Tki against Kl 
as constructed above with probability cki, with running time tki, Queries 
to the signing oracle, queries to the key exposure oracle then there exists 
{Tps,>^PS,qpsiQvs^dp's)-^d,uersary Fps against PS with tps = tki, eps = eps, 

sig __ sig sec _ „sec „Dlg /^sec 

yps ~ ^Ki ’ yps ~ ^Ki ^ yps ~ ^Kl • 

Proof. We construct the signing oracle O^g and the key exposure oracle 
from ol^^\oiec^ and as follows. 



output (*, Wj); 

i+i 
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(query) 



if (query = (“s”,j)) then 

{SK,,PK,)^oS,^\“s\jy, 



{SKP,..,j,Wj+i) 



*),W„ A); 



i+i 

D\gpps{PK.,PK„SK,) 



else 



output (SKP^,..^j,Wj+i); 

output _L; 



^(PS) ^(PS) ^(PS) 

Then Fp^‘^ ' = {M,W, a, where {M , {j , {W, a))) = 

q(KI) q(KI) 

^^|S'6 > sec ('p^(PS)^ jg |.]^g adversary as desired. Since if Fki can forge a valid 
signature (j, a) for the message M then it is easy to see from the construction 
that cr = (W,ps) is also a valid pair of a warrant and a proxy signature for 
the message M. Further, the scheme iTps is not *,j), IF, Q^^^^)-proxy- 

i+i 

signable where Qps = (Qsjg^\ Qsec^^QD^g^) is a set of valid query to the oracles 

tpc\ 

of TTps and (“p”, (*,•■•, W) is never queried to Ofg . 

i+i 

Further, the scheme is {N — 1, A^) Kl since if the adversary who gets the 
signing key of periods j\, . . . , jn-i can compute the signature of the period 
JN ^ {ji, ■ • ■ tJn-i} then the adversary can compute the proxy signature which 
is not proxy signable. □ 



Efficiency; The running time of each algorithm GetiKi, Upd^i, Signal and Vrfy^i 
becomes as follows, where r^|g ’ denotes the running time of the algorithm Alg 
for the signature scheme SIG. 



_(KI) 

^Gen 


_ 2 . ^(PS) , .^(PS) , (PS) 

- ^ ^Gen + ^Dlgp + ^Dlgo ’ 


_(KI) 

'Upd* 


= (1V + 1)- 


/.^(PS) , (PS) 

l^^DIgc + ^Dlgo 




C = ^(1)’ 


_(KI) 

'Sign 


_ _(PS) 
“ TSig > 


DKI) _ 

'Vrfy ~ 


(PS) (PS) 

'PVrf “P 'id 


3.2 


Kl — > Proxy 











PS with n designators can be constructed constructed from (c • n — 1, c • n) Kl as 
follows (where c is the total number of self delegation allowed for each delegator.) 
In key generation phase, c signer keys SKj.c, SKj. c+i , . . . , SK (^j_iyc~i is assigned 
to designator j. the signer key SKj.c is used for (ordinary) signing, proxy signing 
and delegation. The other key is used for self proxy signing and self delegation. 

Delegation is simply based on so-called “certificate chain”. That is, to dele- 
gate the signing right of user i to user j, the user i simply compute the warrant 
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containing information of the public key of user i, the limitation of the delegation 
and the signature of user j. In our construction the warrant W is of the form 
W = (kh'jU;, Signal (b'Tir, (kh'jU;))) where W is the warrant of previous delega- 
tion and w = (^ 1 , ^27 usage) describes the limitation of the current delegation, 
namely, l\ and I 2 denote the range of possible secret keys used for self proxy 
signing (therefore, l\,l 2 only make sense in the self delegation.) This type of 
warrant prevents the user i with warrants W\ , • . • , Wn from computing a valid 
proxy signature of any warrant other than ITi, . . . , Wn- 

Note that different signer key of Kl is assigned for each self delegation. This 
prevents the attacker who gets a signer key which can be used with some self 
delegation from computing a valid proxy signature for the other self delegation. 
The concrete security reduction can be shown by the following theorem. 

Theorem 2. It is possible to construct PS (with n designators and the total 
number of self delegation allowed for each delegator is less than a constant c) 
from (c • n — 1, c • n) Kl in such a way that if there exists (trs, eps, (?p|, Qp's)~ 
Adversary Fps against PS then there exists {TK\,eK\,q^f,q^f)-Adversary Tki 
against Kl with tki = trs, cki = eps, = 9ps + 9 kT ^ 9p? + ^ ' 9ps® 

The proof is given in the full version [13]. 

Efficiency: The running time of Genps, Sigrip 5 , Vrfyp 5 , DIgQpg, DIgppg, PSigps 
and PVrfps in the construction of the above theorem, become as follows where 
L denotes the length of the delegation chain. 



(PS) _ (Kl) 
^Gen “ ^Gen 



+ C I 



+ T, 



_(KI) 

'Upd' 

_(PS) _ 

^Dlgc - 
(PS) ^ (Kl) 

' PSig 'Sign : 



(Kl) 

Upd 



MKI) 

'Sign ’ 

_(PS) _ 

'PVrf 



(PS) ^ (Kl) 
Sign 'sign ’ 

dPS) _ 



= 0(1), 



(PS) _ (Kl) 
'Vrfy ~ 'Vrfy ’ 



= L 



JKI) 

'Vrfy ’ 



= 0{L) 



4 The Hierarchy of Key Evolving Signatures 

In this section we show the hierarchy among the key evolving signatures. Namely, 
we show that intrusion-resilient signatures imply (N — 1, N) key-insulated signa- 
tures and vice versa, and that proxy signatures (and thus (fV— 1, N) key-insulated 
signatures) imply forward-secure signatures. The results are summarized below, 
each followed by a brief overview of the proof. In some cases the complete formal 
constructions and proofs are omitted from this extended abstract, and can be 
found in the full version of our paper [13]. 

Theorem 3 (IR Kl). It is possible to construct Kl from IR in such a way 
that if there exists {TK\,eK\,q^^lf,q^()- Adversary Fki which breaks Kl then there 
exists {t\p, e\R, q(^, qf^^)- Adversary F|r which breaks IR with T|r = tki, C|r = cki, 
9i;? = <?Kf ^rid 

The reduction is based on the following idea: all the initial data of I R is stored 
in the base of Kl and the signer of the Kl only stores signer key of the current 
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period. Then the random access to the key is possible by simply computing the 
signer key of any period from the initial state. The formal details are given below. 

Proof. We construct {N — l,N) key-insulated signature 77ki = (GetiKi, Updj^i, 
Upd^i, Signal, VrfyKi) from intrusion-resilient signature 7T|r = (GeniR, Updj*R, 
Upd|R, Refrfp, RefriR, Sigri|R, N/rfyip) as follows. 



GenKl(l^fV) 

^ Gen|R(l^lV); 



output {SK*^'^'\SKf'\PK^'^\ 


Upd^i(5F*(^'),z,j) 


UpdK,(5Ff'\^F'J')) 


(SKB,SKS) ^ 

for n = 0 to j — 1 do 

(SKB,SKU) ^ Upd;‘R(5'FB); 
SKS ^\Jpd^f^{SKS,SKUy, 
(SKB,SKR) ^ Ref4(5'FB); 
SKS ^ RefuR^SKS, SKR); 
SK'.^P ^ SKS; 


SKf'^ ^ SK^'\ 

output 


output 




SignKi(^Ff\j,M) 


VrfyKi(PF(^'),M,(j,s)) 


output Sign|R(5’Fj'^'\ j,M); 


output Vrfy|R(PiG(‘^'\ M, {j, s)); 



We also construct the signing oracle Osjg'^ and the key exposure oracle 
of Kl from and Osec^ as follows. 





Okc'^ (query) 


output j.l); 


if (query = (“s”,j)) then 
output oiecH“s”.J-l); 

else 

output T; 



q(IR) q(IR) q(KI) q(KI) 

Then (PK^'^y = ^^ 1 “® ’ {PK^'^y is the adversary as desired. This 

is because Kl and two oracles for Kl are constructed in such a way that = 



(\D\ 

SKj holds and the signing algorithm and the verification algorithm are exactly 
the same as those of IR. Therefor, if Fri can produce a valid signature (M, {j, sig)) 
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such that the scheme is not (j, Q*^')-compromised and (M,j) is never queried to 
then {j,sig) is also valid in IR and the scheme is not (j, (3''^)-compromised 
and (M, j.l) is never queried to Further, the resulting Kl is {N — 1,N) Kl 
since the key exposure of — 1 point in Kl is corresponding to the key exposure 
of — 1 signer secret key of IR and no base key of I R is compromised. Therefore 
the security of the remaining signing key can be guaranteed by the IR property. 

□ 



We note that this construction is in fact a consolidation of earlier proofs 
we got regarding intermediate constructions, namely showing IR implies KI-FS 
and KI-FS implies KL This intermediate notion of KI-FS is defined, and the 
corresponding reductions are proved, in the full version of our paper [13]. 

Efficiency; The running time of GeriKi, Upd^i, Upd^i, Signal and Vrfy^i in the 
above construction become as follows. 



RKI) ^ _(IR) _(KI) 

'Gen 'Gen ’ 'Upd* 



_(KI) _ 

^Upd — 



0(1), 



= N- 
_(KI) 

^Sign 



f (IR) , _(iR) , _(iR) , 

1 Wpd* Wpd ^Refr* ~r Tp - ' 



'Refr J 



^(IR) 

'Sign , 



JKI) 



FIR) 



■^Vrfy ~ "^Vrly ' 



Theorem 4 (Kl ^ IR). It is possible to construct IR from {N — 1,N) Kl in 
such a way that if there exists Adversary F|r which breaks IR 

then there exists {T\K,eK\,q^f,q^f)- Adversary F|r which breaks Kl with tki = tir, 
£ki = eiR, ?Kf = «fR 

The reduction is constructed as follows. In key generation phase the key gen- 
eration algorithm of Kl outputs the secret keys SKq, . . . , SKn of all the time 
periods. Then {SKq, SKi 0 i?i, SK 2 © R 2 , ■ • ■ , SK^(B Rn) is given to the signer 
as the signing key SKS and (i?i, i? 2 , • ■ • , Rn) is given to the base as its base 
key SKB where i?i, i? 2 , • ■ • , Rn are random data. SKS and SKB for time pe- 
riod j are of the form {SKj.SKjj^x © Rjj^i,SKjj ^2 © Rj+ 2 ,SKn © R^) and 
{Rj+i, Rj+ 2 , ■ ■ ■ , Rn), respectively and the signature for the message M in the 
time period j is simply computed by Signal (5'Kj, M). Further, random date 
RiS are updated by the refresh algorithms. By this simple construction we can 
construct IR since 

— The adversary knows only the secret key of the time period j if the adver- 
sary can successfully attack the signer in the time period j. Further, the 
knowledge of the signing key of the time period j does not help to forge the 
signature for the other time period. 

— The adversary knows no information about the signing key of any period 
even if the adversary successfully attack the base. 

— The adversary knows no information about the past key even if the adversary 
successfully attack the signer and the base in the same time period. 

Theorem 5 (PS FS). It is possible to construct FS from PS in such a way 
that if there exists (rps, eps, 9FI, against FS then there exists 
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(tps, eps, 9ps7 9p?7 Fps against PS with rps = rps, eps = epS; 

4l = 4l 9ps = Cs (= 1). <lps = Cs (= !)• 



The reduction is constructed in such a way that the signing key of the time 
period j corresponds to the self-delegation key of delegation level j + I- Though 
this is a simple construction, forward-security can be achieved since an attacker 
is not able to get the signing key of lower delegation level even if the attacker 
gets the self delegation key of some delegation level. 

Efficiency: The running time of Genps, Updp5, Signp5 and Vrfyp5 in the above 
construction become as follows. 



^(FS) 

'Gen 



.^(PS) 






.^(FS) 


^Gen 


+ ^Dlgo 


+ ^Dlgp > 


^Upd 


^(FS) 


_ _(PS) 


_(FS) 


_ _(PS) 


'Sign 


- ^PSig 


’ ‘ Vrfy 


~ 'PVrf 



_ APS ) ( PS ) 

- ^Dlgo 'I- ^Dlgp . 



+ T| 



(PS) 



ID 



The following corollary is immediate from Theorem 2 and Theorem 5 . 



Corollary 1 (Kl ^ FS). It is possible to construct FS from Kl in such a way 
that if there exists (rps, epS7 'Zp'l, 9F?^)-^d?;ersar?/ Fps against FS then there exists 
{TK\,eK\,q^l,q^\)-Adversary Fki against Kl with tki = tfs, £ki = eps, = 
gp'l -F qfi and q^^ff = N ■ . 
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Abstract. Informally, a public-key steganography protocol allows two 
parties, who have never met or exchanged a secret, to send hidden mes- 
sages over a public channel so that an adversary cannot even detect 
that these hidden messages are being sent. Unlike previous settings in 
which provable security has been applied to steganography, public-key 
steganography is information-theoretically impossible. In this work we 
introduce computational security conditions for public-key steganogra- 
phy similar to those introduced by Hopper, Langford and von Ahn [7] 
for the private-key setting. We also give the first protocols for public- 
key steganography and steganographic key exchange that are provably 
secure under standard cryptographic assumptions. Additionally, in the 
random oracle model, we present a protocol that is secure against adver- 
saries that have access to a decoding oracle (a steganographic analogue 
of Rackoff and Simon’s attacker-specific adaptive chosen-ciphertext ad- 
versaries from CRYPTO 91 [10]). 



1 Introduction 

Steganography refers to the problem of sending messages hidden in “innocent- 
looking” communications over a public channel so that an adversary eavesdrop- 
ping on the channel cannot even detect the presence of the hidden messages. 
Simmons [11] gave the most popular formulation of the problem: two prisoners, 
Alice and Bob, wish to plan an escape from jail. However, the prison warden, 
Ward, can monitor any communication between Alice and Bob, and if he detects 
any hint of “unusual” communications, he throws them both in solitary confine- 
ment. Alice and Bob must then transmit their secret plans so that nothing in 
their communication seems “unusual” to Ward. 

There have been many proposed solutions to this problem, ranging from 
rudimentary schemes using invisible ink to a protocol which is provably secure 
assuming that one-way functions exist [7]. However, the majority of these proto- 
cols have focused on the case where Alice and Bob share a secret or private key. If 
Alice and Bob were incarcerated before the need for steganography arose, these 
protocols would not help them. In contrast, public- key steganography allows 
parties to communicate steganographically with no prior exchange of secrets. As 
with public-key encryption, the sender of a message still needs to know the re- 
cipient’s public key or otherwise participate in a key exchange protocol. While it 
is true that if there is no global PKI, the use of public keys might raise suspicion, 
in many cases it is the sender of a message who is interested in concealing his 
communication and there is no need for him to publish any keys. 



C. Cachin and J. Camenisch (Eds.): EUROCRYPT 2004, LNCS 3027, pp. 323—341, 2004. 
(c) International Association for Cryptologic Research 2004 




324 



Luis von Ahn and Nicholas J. Hopper 



In this paper we consider the notion of public-key steganography against 
adversaries that do not attempt to disrupt the communication between Alice 
and Bob (i.e., the goal of the adversary is only to detect whether steganography 
is being used and not to disrupt the communication between the participants). 
We show that secure public-key steganography exists if any of several standard 
cryptographic assumptions hold (each of these assumptions implies semantically 
secure public-key cryptography). We also show that secure steganographic key 
exchange is possible under the Integer Decisional Diffie-Hellman (DDH) assump- 
tion. Furthermore, we introduce a protocol that is secure in the random oracle 
model against adversaries that have access to a decoding oracle (a steganographic 
analogue of attacker-specific adaptive chosen-ciphertext adversaries [10]). 

Related Work. There has been very little work work on provably secure 
steganography (either in the private or the public key settings). A critical first 
step in this field was the introduction of an information-theoretic model for 
steganography by Cachin [4] , and several papers have since given similar mod- 
els [8,9,14]. Unfortunately, these works are limited in the same way that infor- 
mation theoretic cryptography is limited. In particular, in any of these frame- 
works, secure steganography between two parties with no shared secret is impos- 
sible. Hopper, Langford, and von Ahn [7] have given a theoretical framework for 
steganography based on computational security. Our model will be substantially 
similar to theirs, but their work addresses only the shared-key setting, which is 
already possible information-theoretically. Although one of their protocols can 
be extended to the public-key setting, they do not consider formal security re- 
quirements for public-key steganography, nor do they consider the notions of 
steganographic-key exchange or adversaries that have access to both encoding 
and decoding oracles. 

Anderson and Petitcolas [1], and Graver [5], have both previously described 
ideas for public-key steganography with only heuristic arguments for security. 
Since our work has been distributed, others have presented ideas for improving 
the efficiency of our basic scheme [12] and proposing a modification which makes 
the scheme secure against a more powerful active adversary [2]. 

To the best of our knowledge, we are the first to provide a formal frame- 
work for public-key steganography and to prove that public-key steganography 
is possible (given that standard cryptographic assumptions hold). We are also 
the first to consider adversaries that have access to decoding oracles (in a man- 
ner analogous to attacker-specific adaptive chosen-ciphertext adversaries [10]); 
we show that security against such adversaries can be achieved in the random 
oracle model. We stress, however, that our protocols are not robust against ad- 
versaries wishing to render the steganographic communication channel useless. 
Throughout the paper, the goal of the adversary is detection, not disruption. 

2 Definitions 

Preliminaries. A function /r : N ^ [0, 1] is said to be negligible if for every 
c > 0, for all sufficiently large n, /i(n) < 1/n'^. We denote the length (in bits) 
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of a string or integer s by |s|. The concatenation of string si and string S 2 will 
be denoted by si||s 2 . We also assume the existence of efficient, unambiguous 
pairing and un-pairing operations, so (si,S 2 ) is not the same as si||s 2 . We let 
Uk denote the uniform distribution on k bit strings. If X is a finite set, we let 
U{X) denote the uniform distribution on X. 

If C is a distribution with finite support X, we define the minimum entropy 
of C, Hao{C), as Hao{C) = mina;gx{log 2 (l/ Prc[a;])}. We say that a function 
f : X ^ {0,1} is e-biased if \FTx^c[f(x) = 0] — 1/2| < e. We say / is unbiased 
if / is e-biased for e a negligible function of the appropriate security parameter. 
We say / is perfectly unbiased if Prx^c[f{x) = 0] = 1/2. 

Integer Decisional DifRe- Heilman. Let P and Q be primes such that Q 
divides P — 1, let Zp be the multiplicative group of integers modulo P, and let 
g G Zp have order Q. Let A be an adversary that takes as input three elements 
of Zp and outputs a single bit. Define the DDH advantage of A over {g, P, Q) 
as: 



Adv 



ddh 

S.P.Q 



(A) 



Pr[A,(g^g^g“'’) = l]- Pr [A,(g^g^ 5 =) 



1 ] 



where A^ denotes the adversary A running with random tape r, a, b, c are chosen 
uniformly at random from Zq and all the multiplications are over Zp. Define 

the DDH insecurity of {g, P, Q) as InSeCg^p g(t) = maxAe^(t) |AdVg^PQ(A)| , 
where Aft) denotes the set of adversaries A that run for at most t time steps. 



Trapdoor One-Way Permutations. A trapdoor one-way permutation family 
77 is a sequence of sets {77fc}j,, where each 77^ is a set of bijective functions tt : 
{0, 1}^ ^ {0, 1}^, along with a triple of algorithms (G, E, I). G(l^) samples an 
element tt € 77^ along with a trapdoor r; E{tt,x) evaluates tt{x) for x G {0, 1}^; 
and Ifr,y) evaluates TT~^fy). For a PPT A running in time tfk), denote the 
advantage of A against 77 by 

Adv?7(A,7) = Pr [A(7r(a;)) = x] . 

(TT,T)^G{F),X^Uk 

Define the insecurity of 77 by InSec™(7, k) = maxAgyi(i) {Adv™(A, 7)}, where 
Aft) denotes the set of all adversaries running in time t{k). We say that H is a 
trapdoor one-way permutation family if for every probabilistic polynomial-time 
(PPT) A, Advp(A,7) is negligible in k. 



3 Channels 

We seek to define steganography in terms of indistinguishability from a “usual” 
or innocent-looking distribution on communications. In order to do so, we must 
characterize this innocent-looking distribution. We follow [7] in using the no- 
tion of a channel, which models a prior distribution on the entire sequence of 
communication from one party to another: 
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Definition. Let D be an efficiently recognizable, prefix-free set of strings, or 
documents. A channel is a distribution on sequences s G D* . 

Any particular sequence in the support of a channel describes one possible out- 
come of all communications from Alice to Bob. The process of drawing from the 
channel, which results in a sequence of documents, is equivalent to a process that 
repeatedly draws a single “next” document from a distribution consistent with 
the history of already drawn documents. Therefore, we can think of communica- 
tion as a series of these partial draws from the channel distribution, conditioned 
on what has been drawn so far. Notice that this notion of a channel is more 
general than the typical setting in which every symbol is drawn independently 
according to some fixed distribution: our channel explicitly models the depen- 
dence between symbols common in typical real-world communications. 

Let C be a channel. We let Ch denote the marginal channel distribution on 
a single document from D conditioned on the history h of already drawn docu- 
ments; we let denote the marginal distribution on sequences of I documents 
conditioned on h. When we write “sample x <— Ch’’ we mean that a single doc- 
ument should be returned according to the distribution conditioned on h. We 
use CA^B,h to denote the distribution on the communication from party A to 
party B. 

We will require that a channel satisfy a minimum entropy constraint for all 
histories. Specifically, we require that there exist constants L>0, 6>0, a>0 
such that for all h G D^, either Prc[/i] = 0 or iLoo(C^) > a. If a channel does 
not satisfy this property, then it is possible for Alice to drive the information 
content of her communications to 0, so this is a reasonable requirement. We 
say that a channel satisfying this condition is L -informative, and if a channel 
is L-informative for all L > 0, we say it is always informative. Note that this 
definition implies an additive-like property of minimum entropy for marginal 
distributions, specifically, Hao{C’'^) > la . For ease of exposition, we will assume 
channels are always informative in the remainder of this paper; however, our 
theorems easily extend to situations in which a channel is L-informative. 

In our setting, each ordered pair of parties (P, Q) will have their own channel 
distribution Cp^q. In these cases, we assume that among the legitimate parties, 
only party A has oracle access to marginal channel distributions Ca^b.u for every 
other party B and history h. On the other hand, we will allow the adversary 
oracle access to marginal channel distributions Cp^q^h for every pair P,Q and 
every history h. This allows the adversary to learn as much as possible about 
any channel distribution but does not require any legitimate participant to know 
the distribution on communications from any other participant. We will assume 
that each party knows the history of communications it has sent and received 
from every other participant. We will also assume that cryptographic primitives 
remain secure with respect to oracles which draw from the marginal channel 
distributions Ca^b.h- 
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4 Pseudorandom Public-Key Encryption 



We will require public-key encryption schemes that are secure in a slightly non- 
standard model, which we will denote by IND$-CPA in contrast to the more stan- 
dard IND-CPA. The main difference is that security against IND$-CPA requires 
the output of the encryption algorithm to be indistinguishable from uniformly 
chosen random bits. Let £ = (G, E, D) be a probabilistic public-key encryption 
scheme, where E : VK. x TZ x V — > C. Consider a game in which an adversary 
A is given a public key drawn from G(l^) and chooses a message toa- Then A 
is given either Gpa(wa) or a uniformly chosen string of the same length. Let 
A{t,l) be the set of adversaries A which produce a message of length at most 
l{k) bits and run for at most t{k) time steps. Define the INDS-CPA advantage of 
A against £ as 



Adv^'^^(A, k) 



PT [A{PK,EpK{mA)) = 1] - Pr[A(PA,C/|p,,(„,)|) = 1] 



Define the insecurity of £ as InSec^'’^(t, I, k) = maxAeA(t,/) {Adv^'^^(A, k)} . £ 
is {t, I, k,^) -indistinguishable from random bits under chosen plaintext attack if 
InSec^'^®(t, I, k) < e{k). £ is called indistinguishable from random bits under cho- 
sen plaintext attack (IND$-CPA) if for every probabilistic polnyomial-time (PPT) 
A, Adv^'^^(A, k) is negligible in k. For completeness, we show how to construct 
IND$-CPA public-key encryption schemes from the RSA and Decisional Diffie- 
Hellman assumptions. We omit detailed proofs of security for the constructions 
below, as they are standard modifications to existing schemes. In the full version 
of this paper, we show that much more general assumptions suffice for IND$-CPA 
security. 



4.1 RSA-based Construction 



The RSA function Eiq,e{x) = x® mod N is believed to be a trapdoor one-way 
permutation family. The following construction uses Young and Yung’s Prob- 
abilistic Bias Removal Method (PERM) [13] to remove the bias incurred by 
selecting an element from rather than Uk- 

Construction 1. (RSA-based Pseudorandom Encryption Scheme) 



Procedure Encrypt: 

Input: plaintext to; public key N, e 

let k = |A|, I = |to| 

repeat: 

Sample xq ^ 
for t = 1 ... ^ do 

set bi = Xi-i mod 2 
set Xi = xf_i mod N 
sample U\ 

until {xi <2^ — N) OR c = 1 
if (a;i < 2 ^ — N) and c = 0 set a;' = a; 
if (a;i < 2^ — N) and c = 1 set x' = 2^ — x 
Output: x' ,b(Brn 



Procedure Decrypt: 

Input: x',c, (N,d) 
let Z = jcj, k= |A| 
if {x' > N) set xi = x' 
else set xi = 2^ — x' 
for z = L . . 1 do 

set a;i_i = xf mod N 
set bi = Xi-i mod 2 
Output: c 0 6 
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The IND$-CPA security of the scheme follows from the correctness of PERM and 
the fact that the least-significant bit is a hardcore bit for RSA. Notice that the 
expected number of repeats in the encryption routine is at most 2. 



4.2 DDH-based Construction 



Let denote the encryption and decryption functions of a private- 

key encryption scheme satisfying IND$-CPA, keyed by K-bit keys, and let k < k/3 
(private-key INDS-CPA encryption schemes have appeared in the literature; see, 
for instance, [7]). Let 7ik be a family of pairwise-independent hash functions 
H : {0,1}^ ^ {O,!}"^. We let P be a fc-bit prime (so 2^“^ < P < 2^), and 
let P = rQ -I- 1 where (r, Q) = 1 and Q is also a prime. Let g generate Zp 
and g = mod P generate the unique subgroup of order Q. The security of 
the following scheme follows from the Decisional Diffie-Hellman assumption, the 
leftover-hash lemma, and the security of (P, D): 

Construction 2. (ElGamal-based random-bits encryption) 



Procedure Encrypt: 

Input: m € {0, 1}*; {g, p“, P) 

Sample H ^ Hk 

repeat: 

Sample 6 ^ Zp_i 
until (g'’ mod P) < 2'="i 
set K = H{{g°‘Y’ mod P) 
Output: H,g^,EK{m) 



Procedure Decrypt: 

Input: {H, s, c); private key (a, P, Q) 

let r = (P — 1)/Q 

set K = mod P) 

Output: Dk{c) 



The security proof considers two hybrid encryption schemes: Hi replaces the 
value (g“)^ by a random element of the subgroup of order Q, g'^, and H 2 re- 
places AT by a random draw from {0, l}"^. Clearly distinguishing H 2 from random 
bits requires distinguishing some Exim) from random bits. The Leftover Hash 
Lemma gives that the statistical distance between H 2 and Hi is at most 2“”. 
Finally, any distinguisher A for Hi from the output of Encrypt with advantage 
e can be used to solve the DDH problem with advantage at least e/2, by trans- 
forming g^ to B = {g^Y g^^ , where r is the least integer such that rr = 1 mod Q 
and f3 <— Z^, outputting 0 if P > 2^“^, and otherwise drawing H ^ Tik and 
running A on iL||P||Pp(gc)(m). 

5 Public-Key Steganography 

Defiuitiou 1. (Stegosystem) A public-key stegosystem is a triple of probabilis- 
tic algorithms S = {SG, SE, SD). SG{Y) generates a key pair (PK,SK) G 
VIC X SIC. SE takes a (public) key PK G VIC, a string m G {0, 1}* (the hid- 
dentext), and a message history h. SE also has access to a channel oracle for 
some channel C, which can sample from Ch for any h. SE{PK,m,h) returns a 
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sequence of documents si, S 2 , • . . , s/ (the stegotext) from the support of SD 
takes a (secret) key SK € SIC, a sequence of documents si, S 2 , • . • , s/, and a mes- 
sage history h, and returns a hiddentext m. Additionally, for every polynomial 
p there must exist a negligible p such that 

Vm G {0, : Pr \SD(SK,SE(PK,m,h),h) = m]> I - p(k) 

(PK,SK)^SG(l*‘) ' ~ 

where the randomization is also over any coin tosses of SE, SD, SG and the 
oracle to Ch- 

Remarks. We emphasize the terminology: the secret message that Alice wants 
to send to Bob is called the hiddentext, documents from the channel are called 
covertexts, and documents that are output by S' if are called stegotexts. We also 
stress that SE need not know the exact probabilities of documents in Ch- This is 
important to mention, as it is unreasonable to assume that the probabilities in 
Ch are known, whereas anybody communicating can be thought of as an oracle 
for the channel distribution Ch- 



5.1 Steganographic Secrecy against Chosen Hiddentext Attack 



In a chosen hiddentext attack, W is allowed to supply hiddentexts to Alice, in 
hopes of detecting whether or not she is using steganography in her communi- 
cations with Bob. (Note that a chosen hiddentext attack is the steganographic 
equivalent of a chosen plaintext attack against an encryption scheme.) 

We will model a warden attacking a stegosystem as an efficient oracle machine 
which plays the following game. First, a pair {PK, SK) is drawn from S'G(l^) 
and W is allowed to access PK and Ch for any history h, to produce a message 
mw and a history hw- Then W is given access to a sequence s G D* , which 
is drawn either from SE{PK,mw,hw) or cjf', and continues to access Ch for 
any history h (This oracle allows W to learn the covertext distribution on all 
communications). Finally W outputs a bit which is a “guess” about whether s 
is a stegotext or a covertext. 

We define the CHA advantage of W against stegosystem S over channel C 



by 



Adv^s',^(W,A:) 



Vr[W^{PK,s) = 1] - Vr[W^{PK,C^^l) = 1] , 



where the probabilities are taken over (PK,SK) ^ SG{1^), {mw,hw) ^ 
W^{PK), s ^ SE{PK,mw,hw), the random bits of W and the responses 
of the oracle C. Define the insecurity of S over channel C by InSecg ^(t, I, k) = 

max^ygvy(t_/) |Adv 5 ^^(IF, fc)| , where W{t,l) denotes the set of all adversaries 
which choose a message of length at most l{k) bits, and run in time at most t{k)- 
For ease of notation, we will denote by W for the remainder of the paper. 

Thus, S is secure against chosen-hiddentext attacks if the warden, even given 
Bob’s public key, cannot tell whether Alice’s message to Bob encodes any hid- 
dentext at all, even one of his choice. 
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5.2 Chosen-Stegotext Attacks 



In a Chosen-Stegotext Attack, Ward is monitoring the communications from 
Alice to Bob, trying to detect any hint that the pair are using steganography. In 
particular, he not only has some partial knowledge of the messages Alice might 
be encoding, he can pretend to be Alice, sending messages (presumably encoding 
hiddentexts) to Bob and observing Bob’s reaction to see if Bob is trying to decode 
them. Ward can even make small changes to Alice’s messages to see how Bob 
reacts to them. If Bob is decoding Alice’s messages, he will output hiddentexts, 
whereas otherwise he will have no special reaction, which we signify by the output 
±. In order to protect against this attack, there must be something Alice knows 
that Ward doesn’t. So we extend the definition of a stegosystem to include a 
fourth algorithm S'S'G(l^) which outputs a pair (KV,KS). If Alice wants to 
send messages that are protected in this way, she chooses {KV, KS) ^ S'S'G(l^) 
and publishes KV in the same way that Bob would publish PK. We modify the 
encoding algorithm to take KS as an additional argument, and the decoding 
algorithm to require KV . (So in a system designed to resist this attack. Bob 
must know Alice’s public value KV to decode her messages.) 

We formally model a chosen-stegotext attacker as an oracle PPT W which 
plays the following game. First, draw {PK,SK) ^ S'G(l^), and (KV,KS) ^ 
S'S'G(l^). Then W is given (PK,KV) and accesses an oracle, which is either 
ST (for StegoText) or CT (for CoverText), and which respond to queries using 
these programs: (where <(' = {} initially): 



ST{b G {enc, dec}, m, h) 
if(b = enc) then: 

Sample s ^ SE{PK, KS, m, h) 
Set 4> = 4>\J {(s, h)}; return s 
else if (m, h) G 4> return 
else return SD{SK, KV, m, h) 



CT{b G {enc, dec}, m, h) 
if(b = enc) then: 

Sample 

Set 4> = 4>^ |(s, /i)}; return s 
else if (to, h) G (j) return 
else return _L 



Suppose W runs in time t, and makes qe queries of the form (enc, *, *), totalling 
I bits, and qd queries of the form (dec,*,*). We define IT’s CSA advantage 
against S for channel C by 

Adv“c(IT, k) = |Pr[IT^^(PA, KV) = 1] - Fr[W^'^{PK, KV) = 1]| , 



and the insecurity by lnSecf},{t, qe, qd, I, k)=Taa.y.^(^vv{t,q^,qd,i) {Adv“c(^. ^)}- 
Thus, in a chosen-stegotext attack. Ward may ask Alice to encode any (mes- 
sage, history) pair of his choosing, as often as he likes, and may query Bob on 
any pair (s, h) where s was not a result of an encoding query for history h. Notice 
that if Ward can ask Bob to decode any message output by Alice for the same 
history it was encoded with, he can detect the use of steganography between Al- 
ice and Bob; this is why we do not allow Ward to query Bob on such stegotexts. 
This restriction is roughly analogous to the standard restriction that an adaptive 
chosen-ciphertext attacker may not query his decryption oracle on the challenge 
ciphertext. The use of a secret by the encryptor makes this security condition 
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roughly analogous to the notion of “attacker-specific” adaptive chosen-ciphertext 
attack from [10], in which an attacker who tries to access the decryption of a 
message he didn’t send is given the response _L. This “attacker-specific” notion 
of security is stronger than CCA-1 security but weaker than the now-standard 
CCA-2 security [10]. Note, however, that chosen-stegotext security protects both 
the sender and the receiver. 



5.3 Relationships among Notions 

We formalize the notions of steganographic secrecy as follows. 

Definition 2. A stegosystem S is called steganographically secret for channel 
C against attack model atk (SS-ATK) if for every PPT A, Advg'^(A,A:) is neg- 
ligible in k. 

A natural question is: what are the relationships between these security notions 
and the standard notions from public-key cryptography? In this section we give 
the key relationships between these notions. 

SS-CHA is strictly stronger than IND-CPA. By a standard argument based 
on the triangle inequality, if A can distinguish SE{mo) from SE{mi) with ad- 
vantage e, he must be able to distinguish one of these from Ch with advantage at 
least e/2. Thus every SS-CHA secure stegosystem must also be IND-CPA secure. 
On the other hand, let S be any IND-CPA secure cryptosystem. Then S' which 
prepends a known, fixed sequence of documents m G to the output of S is 
still IND-CPA secure but has an SS-CHA distinguisher with advantage 1 — o(l) 
for any L-informative channel. 

SS-CSA is strictly stronger than SS-CHA. Suppose that we take a SS-CSA- 
secure stegosystem S = {SG, SSG, SE, SD) and define SE'{PK, m, h) to draw a 
random (KV,KS) ^ S'S'G(l^) and return SE{PK, KS,m, h). Then any CHA 
warden against SE' is also a single-query CSA warden against S. (However, 
whether there is a corresponding modification SD' so that S' is sound may 
be dependent on the construction; such modification is possible for our con- 
struction.) On the other hand, SS-CSA is strictly stronger than SS-CHA: if 
(S'G, SE, SD) is SS-CHA secure, then so is S' = {SG, SE', SD') where SE'{m, h) 
draws s ^ SE{m,h) and s' ^ Etnd returns (s, s'), while SD' {{s, s'),h) 

returns SD{s,h). But S' is trivially vulnerable to a chosen-stegotext attack 
with advantage 1: query (enc,m, A) to get (s, s'), draw s" ^ C(h,s) and query 
(dec, (s, s"), h). If the result is not T, return 1, otherwise return 0. 

6 Constructions 

Most of our protocols build on the following construction, a generalization of 
Construction 2 in [7] and similar to a protocol given by Cachin [4]. Let f : D ^ 
{0, 1} be a public function (recall that C is a distribution on sequences of elements 
of D). If / is is perfectly unbiased on Ch for all h, then the following encoding 
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procedure, on uniformly distributed l-hit input c, produces output distributed 
exactly according to : 

Construction 3. (Basic encoding/decoding routines) 

Procedure Basic_Encode: 

Input: Cl, . . . ,C/ e {0, 1}', he D*, k 
for i = 1 .. .1 do 
Let j = 0 
repeat: 

sample Si ^ Ch, increment j 
until /(si) = Cl OR (j > k) 
set h = h\\si 

Output: si, S 2 , . . . , 5/ 

Note that for infinitely many Ch there is no perfectly unbiased function /. In 
appendix B, we prove Proposition 1, which together with Proposition 2, justifies 
our use of unbiased functions. The proof for Proposition 2 is straightforward and 
is omitted from the paper. 

Proposition 1. Any channel C which is always informative can he compiled 
into a channel which admits an efficiently computable function f such that 
for any polynomial-length sequence hi, . . . ,hn all satisfying Vrc[hi] 0, the bias 
Pr[/(C^^^) = 1] — i is negligible in k for all 1 < i < n. 

Proposition 2. If f is e-biased on Ch for all h, then for any k and si, S 2 , ■ ■ ■ , si: 
I Pr [Basic_Encode(c, h,k) = S\, S 2 , ■ ■ ■ , s/] — Pr [s = si, S 2 , . . . , s;]| < . 

c^Ui 

Using the previous two propositions, we will show that public-key steganography 
is possible in any channel that is always informative. We note that procedure 
Basic_Encode has a small probability of failure: it is possible to have f{sf) yf c^. 
This probability of failure, however, is negligible in k. 

6.1 Chosen Hiddentext Security 

Let Epk{-) and Dsk{') denote the encryption and decryption algorithms for a 
public-key cryptosystem £ which is indistinguishable from random bits under 
chosen plaintext attack (IND$-CPA). Let I be the expansion function of £, i.e., 
\EpK{m)\ = £{\m\). The following procedures allow encoding and decoding of 
messages in a manner which is steganographically secret under chosen hiddentext 
attack for the channel distribution C: 

Construction 4. (Chosen Hiddentext Security) 

Procedure CHA_Encode: Procedure CHA_Decode: 

Input: key PK, m e {0, 1}*, h e D* Input: secret key SK, s e 

Let c = EpK{m) Let c = Basic_Decode(s) 

Output: Basic_Encode(c, ft-, /c) Output: Dsk{c) 



Procedure BasicJDecode: 

Input: Stegotext si, S 2 , . . . , s; 
for t = 1 ... ^ do 
set Cl = f{si) 
set c = ci||c 2 || • • • ||ci. 

Output: c 
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Lemma 1. Assume / is e-biased on Ch for all h. For any warden W € W(t, 1), 
there is an IND$-CPA adversary A with /c) < Adv^'^^(A, fc) -|-£(l)e. 

The running time of A is at most t + 0{kl) (k is the security parameter of 
{PK, SK) and is used as a hound for Basic_Encode ), and A submits a plaintext 
of length at most 1. 

Proof. We are given a program W for distinguishing between the output of Con- 
struction 4 and the ordinary traffic of the channel, and an oracle for sampling 
blocks from that channel. We construct a program A which plays the IND$-CPA 
game: distinguishing EpKfmw) from C/^(/). A{PK) simply runs W{PK), to get 
{mw, hw) and returns mw for uia. Then A{PK, c) uses the oracle Ch to com- 
pute s = Basic_Encode(c, hw, k), and returns the output of TT(PA, s). Consider 
the cases for A’s input. If c ^ EpKfmw), then s ^ CHA_Encode(PA, mw, hw)', 
so we have Pr[A(PAT, Pp/y(mA)) = 1] = Vr\W {PK, SE{PK,mw ,hw)) = !]• 
If c <— Ui, then s is distributed identically to Basic_Encode(C/f , A-w, fc); thus 
\Pr[A{PK,Ut) = 1] —Pr\W{PK,Cf^^) = 1]| < by Proposition 2. 

Combining the cases, we have AdVg^^_(^(IP, A:) < \Pv[A{PK,EpK{mA)) = 
1] — Pr[A(PA, Ut) = 1]| -I- = Adv^'^^(A, k) + £{l)e, as claimed. 

Theorem 1. If f is e-biased on Ch for all h, then 

lnSecf^Xcit^:k)<lnSeE^%t + 0{kl),l,k)+I{l)e . 



6.2 Chosen-Stegotext Security 

We will construct a stegosystem which is SS-CSA-secure in the Random Oracle 
model, for any channel which is efficiently sampleahle: that is, for which there 
exists a PPT C such that for all h, C{h; Uk) and Ch are indistinguishable. We 
assume that tta,t^b are elements of trapdoor one-way permutation family Uk, 
where Alice knows and Bob knows In addition, we assume all parties 
have access to random oracles F : {0,1}* ^ {0,1}^, G : {0,1}* ^ {0,1}^, 
H\ : {0,1}^ ^ {0,1}*, and H 2 '■ {0,1}* ^ {0,1}^. The following construction 
slightly modifies techniques from [3], using the random oracles Hi and H 2 with 
•Kb to construct a pseudorandom non-malleable encryption scheme and the oracle 
F in conjunction with ka to construct a strongly unforgeable signature scheme. 



Construction 5. (Chosen Stegotext Security) 



Procedure UEncode: 
Input: c € {0, 1}*, r, h 
for i = 1 . . . i do 
Let j — 0 
repeat: 

set rj = G{h,r,c,j) 
set Si = C{h\ Tj) 
increment j 

until f{si) = CiV {j > k) 
set h — {h, Si) 

Output: si, S2, . . . , S( 



Procedure CSA_Encode: 

Input: m, h, k~^^, kb 
Choose r ^ Uk 
Let u = K~^^{F{r, m, h)) 
Let e = Hi{r) © {m,a) 

Let T = H2{r, m, h) 

Let y — KB{r) 

Let c = y||e||r 
Output: UEncode*^ (c, r, h) 



Procedure CSA_Decode: 

Input: s, h, ka, Kg^ 

Let c = Basic_Decode(s) 
Parse c as y||e||r. 

Set r = 

Let {m,a) = e © LIi (r) 

If s 7^ UEncode® (c, r, A)V 
r A H2{r, m, A)V 
ka{u) a F{r,m, h) 
return T 
Output: m 
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Theorem 2. If f is e-biased for C, then 

InSec“\ k) < ( 2 ge + gF)InSec°'"(t', k) + {I + 3qek)e + {qj + 2 qd)j 2 ’^ , 

where t' < t + {qc + qp + qH){qe + qd)T-K + k{l + 3qek)Tc, T,r is the time to 
evaluate members of it, and Tq is the running time ofC. 

Intuitively, this stegosystem is secure because the encryption scheme em- 
ployed is non-malleable, the signature scheme is strongly unforgeable, and each 
triple of hiddentext, history, and random-bits has a unique valid stegotext, which 
contains a signature on (m,h,r). Thus any adversary making a valid decoding 
query which was not the result of an encoding query can be used to forge a 
signature for Alice — that is, invert the one-way permutation tta- The full proof 
is omitted for space considerations; see Appendix A for details. 

7 Steganographic Key Exchange 

Consider the original motivating scenario: Alice and Bob are prisoners, in an 
environment controlled by Ward, who wishes to prevent them from exchanging 
messages he can’t read. Then the best strategy for Ward, once he has read 
the preceding sections, is to ban Alice and Bob from publishing public keys. 
In this case, a natural alternative to public-key steganography is steganographic 
key exchange: Alice and Bob exchange a sequence of messages, indistinguishable 
from normal communication traffic, and at the end of this sequence they are 
able to compute a shared key. So long as this key is indistinguishable from a 
random key to the warden, Alice and Bob can proceed to use their shared key 
in a secret-key stegosystem. In this section, we will formalize this notion. 

Definition 3. (Steganographic Key Exchange Protocol) A steganographic key 
exchange protocol, or SKEP, is a quadruple of efficient probabilistic algorithms 
Ske = {SEa, SEb, SDa, SDb)- SEa and SEb take as input a security pa- 
rameter 1^ and a string of random bits, and output a sequence of documents 
of length l{k); SDa and SDb take as input a security parameter, a string of 
random bits, and a sequence of documents of length l{k), and output an element 
of the key space /C. Additionally, these algorithms satisfy the property that there 
exists a negligible function fi{k) satisfying: 

Pr [SDA{l^rA,SEB{l^rB)) = SDB{l^rB,SEA{l\rA))]>l-Kk) ■ 

TA.rB 

We call the output of SDa{1^ ,rA, SEb{1^ ,rB)) the result of the protocol, we 
denote this result by SKE{i~A,rB), and we denote by ErA,rB (for transcript) the 
pair {SEa{1^ ,rA), SEBil’^ ,rB))- 

Alice and Bob perform a key exchange using Ske by sampling private ran- 
domness VA,rB, asynchronously sending S'Eyi(l^, r^) and S'ifB(l^,rB) to each 
other, and using the result of the protocol as a key. Notice that in this definition 
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a SKEP must be an asynchronous single-round scheme, ruling out multi-round 
key exchange protocols. This is for ease of exposition only. 

Let W he a warden running in time t. We define W’s SKE advantage against 
Ske on channels C = {Ca^b,Cb^a) with security parameter k by: 

= \h^r[W{%^,rs,SKE{rA,TB)) = 1 ]-Vv[W{{cja,<Jb),K) = 1 ]| 

where a a ^ ^a^b Ha’ ^ ^B^Ahs^ K ^ 1C. We remark that, as in 
our other definitions, W also has access to channel oracles Ca^b.h and Cb^a.h- 
Let W(t) denote the set of all wardens running in time t. The SKE insecu- 
rity of Ske on C with security parameter k is given by InSecg^^ (^(t, /c) = 

maxvygvv(t) ^)} • 

Definition 4. (Secure Steganographic Key Exchange) A SKEP Ske is said to 
be (t,e) -secure for channels Ca^b and Cb^a if InSecg^^(t, /c) < e{k). Ske 
is said to be secure if for all polynomials p, Ske is (p(fc), e(/c))-secure for some 
negligible function e. 



Construction. The idea behind behind the construction for steganographic key 
exchange is simple: let g generate Zp, let Q be a large prime with P = rQ -{- 1 
and r coprime to Q, and let g = g^ generate the subgroup of order Q. Alice 
picks random values a C Zp_i uniformly at random until she finds one such 
that mod P has its most significant bit (MSB) set to 0 (so that mod P 
is uniformly distributed in the set of bit strings of length |P| — 1). She then uses 
Basic_Encode to send all the bits of mod P except for the MSB (which is 
zero anyway) . Bob does the same and sends all the bits of g^ mod P except the 
most significant one (which is zero anyway) using Basic_Encode. Bob and Alice 
then perform Basic_Decode and agree on the key value 3 “**: 

Construction 6. (Steganographic Key Exchange) 



Procedure SKE_Encodeyii: 

Input: (P,Q,h,g) 
repeat: 

sample a ^ C/(Zp_i) 
until g°- mod P < 2'"“^ 

Let Ca = 5 “ mod 
Output: Basic_Encode(ca, /i, A:) 



Procedure SKE_Decodeyi: 
Input: s G D^', exponent a 
Let Cb = BasicJ)ecode(s) 
Output: c™ mod P = 



(SKE_Encodep and SKEdDecodee are analogous) 



Lemma 2. Let f he e-hiased on Ca^b.Ha and CB^A.hs for all Ha, Lb- Then for 
any warden W G W(t), we can construct a DDH adversary A where Adv^*^)!, g (A) 
> jAdv|Kg(VP, A:) — e|P|. The running time of A is at most A -I- 0(A:|P|). 
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Proof. (Sketch) Define f to be the least element such that rf = 1 mod Q. The 
algorithm A works as follows. Given elements of the subgroup of 

order Q, we uniformly choose elements ka, kb ^ and set Ca = , and 

Cb = {YYg^^^ ■ If MSB{ca) = MSB{cb) = 0, we then return 
W (Basic_Encode(ca, hA,k), Basic_Encode(c{,, hs, k),gY, otherwise we return 0. 
Notice that the key computed by SKEJDecode would be cY = {{Y'^Y g^“^Y = 

^gabyrr gPQkah ^ab 

The decrease in W’s advantage comes from the fact that A excludes some 
elements of Zp by sampling to get the MSB = 0, but we never exclude more than 
1/2 of the cases for either Ca or Cb- The e\P\ difference follows from Proposition 2 
and the fact that Ca,Cb are uniformly distributed on [7|p|_i. 



Theorem 3. If f is e-biased on Ca^b.Ha o,nd Cb^a.Hb for all hA,hB, then 
InSec|';E.c(f, k) < 4e|P| + AlnSecl%Q{t + 0{k\P\))) . 

8 Discussion and Open Problems 

Need for a PKI. A potential stumbling block for public-key steganography 
is the need for a system which allows Alice and Bob to publish public keys for 
encryption and signatures without raising suspicion. The most likely source of 
a resolution to this issue is the existence of a global public-key infrastructure 
which publishes such public keys for every party in any case. In many cases 
(those modeled by the chosen hiddentext attack), however, it may be Alice who 
is trying to avoid suspicion while it is Bob who publishes the public key. For 
example Alice may be a government employee who wishes to leak a story and 
Bob a newspaper reporter, who may publish his public key daily. 

In case Alice and Bob are both trying to avoid suspicion, it may be necessary 
to perform SKE instead. Even in this case, there is a need for a one-bit “secret 
channel” which alerts Bob to the fact that Alice is attempting key exchange. 
However, as long as Bob and Alice assume key exchange is occurring, it is easy 
to check at completion that it has indeed occurred by using Basic_Encode to 
exchange the messages Fk{A, Ha), Fk{B, Hb) for F a pseudorandom function. 



Stegosystems with Backdoors. Suppose we wish to design steganography 
software which will be used as a black box by many users. Then as long as there 
is some entropy in the stegosystem of choice, we can use public-key steganog- 
raphy to implement a backdoor into the stegosystem which is provably unde- 
tectable via input/output behavior, by using the encoding routine as an oracle 
for Construction 4, with a fixed hiddentext (1^, for instance). This will make it 
possible, with enough intercepted messages, to detect the use of the steganogra- 
phy software. If a total break is desired and the software implements private-key 
steganography, we can replace Y by the user’s private key. 
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Relationship to PKC: Complexity-Theoretic Implications. In contrast 
to the private-key results of [7], we are not aware of a general result showing 
that the existence of any semantically secure public-key cryptosystem implies 
the existence of secure public-key steganography. However, our results allow 
construction of provably secure public-key steganography based on the security 
of any popular public-key cryptosystem. 
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A Proof of Chosen-Stegotext Security 

We define the following sequence of hybrid oracle distributions: 

1. P0{b,m,h) = CTcsa, the covertext oracle. 

2. Pl(6, m, h) responds to dec queries as in PO, and responds to enc queries us- 
ing CSA_Encode but with calls to UEncode'^ replaced by calls to Basic_Encode. 

3. P2{b,m,h) responds to dec queries as in PI, and responds to enc queries 
using CSA_Encode. 

4. P3(6,m, A.) = STcsa, the stegotext oracle. 

We are given a CSA attacker W G W(t, qe, q<i, Qf, qn, qui , qH^ i 0 wish to 
bound his advantage. Notice that Advgg\ (^(VU, k) < \ Pr[W^^ = 1] ~ Pr\W^^ = 
1]| -h |Pr[VU^i = 1] - Pr[W^^ = 1]| + |Pr[VU ^2 = l] _ Pr[W^3 = 1]| (for ease 
of notation, we omit the arguments to W). Hence, we can bound the 

advantage of W by the sum of its advantages in distinguishing the successive 
hybrids. For hybrids P, Q we let Adv^'®(LF, k) = \ Pr[W^ = 1] ~ Pr[VF® = 1]|. 

Lemma 3. Adv™'f"^(W, k) < qeInSec°^ {t' , k) + 2~'^{ql/2 - q^/2) + {I + 3qek)e 

Proof. Assume WLOG that Pr[LF'^^ = 1] > Pr\W^^ = 1]. Let Er denote the 
event that, when W queries PI, the random value r never repeats, and let Eq 
denote the event that W never makes random oracle queries of the form Hi(r) 
or H 2 {r, *, *) for an r used by CSA_Encode, and let E = Er A Eg. 

Pr[W^^ = 1] - Pr[W^° = 1] = Pr[W^^ = 1|E](1 - Pr[E]) + Pr[W^^ = 1\E] Pr[E] 

- Pr[W^° = 1] 

= Pr[E] {Pr[W^^ = 1\E] - Px[W^^ = 1|E]) 

+ (^Pr[W^^ = 1\E] - Pr[W^° = 1]) 

^ Pr[_£/] + (/ + 

< Pr[_£/r] + + (/ + 3qek)t 

< 2-'“ + Pr[E;] + (l + 3qek)e 
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because if r never repeats and W never queries Hi{r) or H 2 {r, *, *) for some r 
used by CSA_Encode, then W cannot distinguish between the ciphertexts passed 
to Basic_Encode and random bit strings. 

It remains to bound Vr\Eq]. Given W G W{t,qe,qd,<lF,q_Gi<lHi,<lH 2 i^) we 
construct a one-way permutation adversary A against ttb which is given a value 
ttb{x) and uses W in an attempt to find x, so that A succeeds with probability at 
least (l/(?e) PA^q]- A picks {tta, from Ilk and i uniformly from {1, . . . , (/e}, 
and then runs W answering all its oracle queries as follows: 

— enc queries are answered as follows: on query j ^ i, respond using CSA_Encode 
but with calls to UEncode*^ replaced by calls to Basic_Encode. On the 
t-th query respond with s = Basic_Encode(7TB(a;)||ei||Ti, ft.) where ei = 
hi 0 (to, (Ti) and hi,ai,Ti are chosen uniformly at random from the set of 
all strings of the appropriate length (|ei| = |to| 0 A: and |ti| = k), and set 
(f) = (j)U {{s,h)}. 

— dec queries are answered using CT^sa- 

— Queries to G, F, Hi and H 2 are answered in the standard manner: if the 
query has been made before, answer with the same answer, and if the query 
has not been made before, answer with a uniformly chosen string of the 
appropriate length. If a query contains a value r for which 7rs(r) = ttb{x), 
halt the simulation and output r. 

It should be clear that Pr[A(7rs(a;)) = a;] > ^(Pr[ifg]). 

Lemma 4. Adv'"^'^2(TP, k) < qeInSec^{t', k) + 2~'^{q^j2 - q^/2) 

Proof. Assume WLOG that Pr[IP^^ = 1] > Pr[IP^^ = 1]. Denote by Er the 
event that, when answering queries for W, the random value r of CSA_Encode 
never repeats, and by Eq the event that W never queries G(*,r, 7rs(r)||*, *) for 
some r used by CSA_Encode, and let E = Er A Eg. Then: 

Pr[IP ^2 ^ = 1] = (Pr[IP^2 ^ pr[E] + Pr[W^^ = l\E] Pr[G]) 

- Pr[W^^ = AE] Pr[S] - Pr[W^^ = 1\E] Pr[E] 
= Pr[E] {Pr[W^^ = 1|^] - Pr[IP^^ = 1|^]) 

< Pr[E] 

1) 

Given W G W{t, qe, qd,qp, qci iHulHaA) we construct a one-way permutation 
adversary A against ttb which is given a value ttb(x) and uses W in an attempt 
to find X. A picks (tta, from Hk and i uniformly from {!,..., qs}, and then 
runs W answering all its oracle queries as follows: 

— enc queries are answered as follows: on query j ^ i, respond using CSA_En- 
code. On the f-th query respond with s = UEncode'^(7rB(a:)| |ei || ti, ri, /i) 
where ei = A-i 0 (to, cti) and hi,cfi,Ti,ri are chosen uniformly at random 
from the set of all strings of the appropriate length (|ei| = |to| 0 A: and 
|ti| = k), and set (j) = 4>U {(s, h)}. 
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— dec queries are answered using CTcsa- 

— Queries to G, F, Fli and H 2 are answered in the standard manner: if the 
query has been made before, answer with the same answer, and if the query 
has not been made before, answer with a uniformly chosen string of the 
appropriate length. If a query contains a value r for which 7 rs(r) = 

halt the simulation and output r. 

It should be clear that Pr[A( 7 rs(a;)) = a;] > ^(Pr[ifg]). 

Lemma 5. Adv'"2'P3(H/, fc) < gFlnSec™(P, k) + + ge/2'= 

Proof. Given W G W’(t, ge, <Zd 7 <ZG; 7 0 construct a one-way per- 

mutation adversary A against tta which is given a value 7Ta(x) and uses W 
in an attempt to find x. A chooses from Ilk and i uniformly from 

{1, . . . 7 gp}? and then runs W answering all its oracle queries as follows: 

— enc queries are answered using CSA_Encode except that cr is chosen at random 
and F{r,m,h) is set to be 7 r^(cr). If F{r,m,h) was already set, fail the 
simulation. 

— dec queries are answered using CSA_Decode, with the additional constraint 
that we reject any stegotext for which there hasn’t been an oracle query of 
the form H 2 {r,m,h) or F(r,m,h). 

— Queries to G, F, Hi and H 2 are answered in the standard manner (if the 
query has been made before, answer with the same answer, and if the query 
has not been made before, answer with a uniformly chosen string of the 
appropriate length) except that the t-th query to F is answered using tta{x). 

A then searches all the queries that W made to the decryption oracle for a value 
cr such that 7 r^(cr) = tta{x). This completes the description of A. 

Notice that the simulation has a small chance of failure: at most ge/2^. For 
the rest of the proof, we assume that the simulation doesn’t fail. Let E be the 
event that W makes a decryption query that is rejected in the simulation, but 
would not have been rejected by the standard CSAJDecode. It is easy to see 
that Pr[if] < qdf2^~^. Since the only way to differentiate P3 from P2 is by 
making a decryption query that P3 accepts but P2 rejects, and, conditioned 
on E, this can only happen by inverting tta on some F(r,m, h), we have that: 
Adv^2,P3(^^ < gFlnSec?7(P, k) + gd/2'=-i + ge/2^ 

B Negligibly Biased Functions for Any Channel 

Let l{k) = w(logfc). Then the channel is simply a distribution on sequences 
of documents which are elements of and the marginal distributions 
are simply The minimum entropy requirement from Section 3 then gives 

us that for any h which has non-zero probability, = to (log k). 

Let /ii, /i 2 , hm be any sequence of histories which all have non-zero proba- 
bility under and let / : {0 , x D x {0, 1} be a universal hash function. 
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Let Y,Z ^ 
that L{k) 
that 



Um{k)iB ^ Um, and Di ^ Let L{k) = mini Hoo{Di), and note 
= w(logfc). Then the “Leftover Hash Lemma” (see, e.g., [6]) implies 



where A(X, Y) = ^ | Pr[X = a;] — Pr[F = a;]| is the statistical distance, from 

which it is immediate that if we choose Y <— Um{k) once and publicly, then for all 
1 < i < TO, /y will have negligible bias for Ch^ except with negligible probability. 
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Abstract. We provide methods for transforming an encryption scheme 
susceptible to decryption errors into one that is immune to these errors. 
Immunity to decryption errors is vital when constructing non-malleable 
and chosen ciphertext secure encryption schemes via current techniques; 
in addition, it may help defend against certain cryptanalytic techniques, 
such as the attack of Proos [33] on the NTRU scheme. 

When decryption errors are very infrequent, our transformation is ex- 
tremely simple and efficient, almost free. To deal with significant error 
probabilities, we apply amplification techniques translated from a re- 
lated information theoretic setting. These techniques allow us to correct 
even very weak encryption schemes where in addition to decryption er- 
rors, an adversary has substantial probability of breaking the scheme by 
decrypting random messages (without knowledge of the secret key). In 
other words, under these weak encryption schemes, the only guaranteed 
difference between the legitimate recipient and the adversary is in the 
frequency of decryption errors. All the above transformations work in a 
standard cryptographic model; specifically, they do not rely on a random 
oracle. 

We also consider the random oracle model, where we give a simple trans- 
formation from a one-way encryption scheme which is error-prone into 
one that is immune to errors. 

We conclude that error-prone cryptosystems can be used in order to 
create more secure cryptosystems. 



1 Introduction 

In their seminal paper on semantic security Goldwasser and Micali defined a 
public key encryption scheme as one where the decryption is perfect, i.e., given 
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a properly formed ciphertext the answer is always the unique corresponding 
plaintext [20]. More formally, let the encryption algorithm be E and the corre- 
sponding decryption algorithm be H. If if maps a message m with random coins 
r to a ciphertext c = E{m,r), then it is always the case that D{E{m,r)) = m. 
However, some cryptosystems do not satisfy this condition, two notable exam- 
ples being the Ajtai-Dwork cryptosystem [1] and NTRU [21]. (In fact, sometimes 
a cryptosystem is deliberately designed to have ambiguous decryption; see more 
in Section 6.) 

One might think that an encryption scheme with small probability of de- 
cryption error is merely an aesthetic nuisance, since the event of a decryption 
error can be compared to the event of an adversary guessing the secret key, which 
should be rare. However, serious difficulties arise in trying to construct cryptosys- 
tems secure under more stringent notions of security, such as non-malleability 
and chosen-ciphertext immunity, based on systems with ambiguous decryption. 
In fact, all known “bootstrapping” methods for constructing strong cryptosys- 
tems fail when the underlying one is susceptible to errors^. Furthermore, Proos 
was able to exploit decryption errors in his attack on the NTRU scheme [33] . Our 
goal in this work is to discuss general methods for eliminating errors and con- 
structing secure cryptosystems based on less than perfect underlying schemes. 



1.1 Random Oracles and the Real World 

The literature contains constructions for cryptographic primitives in two well 
studied models: the random oracle world as described below, and the real world, 
where the assumption of a random oracle may not be justified. In general it is 
more difficult and involved to provide and prove correct constructions in the real 
world model. 

If one makes the simplifying assumption that a specific function behaves as 
an idealized random function (random oracle), then it is possible to obtain sim- 
ple and efficient constructions of public-key encryption schemes that are secure 
against chosen ciphertext attacks in the post-processing mode ( “cca-post” , also 
known as CCA2); these include OAEP and its variants [5,3,32,15,6], Fujisaki- 
Okamoto [14] and REACT [31]^. However, it is not known if any one of these 
methods (or some other method) can be used to convert every public-key cryp- 
tosystem ~ including systems with decryption errors - that is semantically secure 
(or that satisfies even some weaker property such as one-wayness on the mes- 
sages) against chosen plaintext attacks into one that is secure against stronger 
attacks, such as cca-post attacks (see below for more information on attacks). 
Among the problems in applying these approaches are that in the underlying 
“input” cryptosystem (1) there can exist ciphertexts which are valid encryptions 

® One reason for the failure of those methods is that when the adversary chooses the 
input to the decryption algorithm, this input can have a distribution completely 
different from that of correctly encrypted messages and so the error probability may 
be large instead of small 

^ The meaning of such results is the subject of much debate (see e.g., [8,13,2]). 
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of two different plaintext messages; and (2) the decryption mechanism may some- 
times fail to return “invalid” on an invalid ciphertext. As mentioned above, these 
problems were exploited by Proos [33] to attack various paddings of NTRU [30] . 

In the real world we have no idealized function, and we must do with what 
nature gives us. An important idea used either explicitly or at least implicitly 
in the construction of chosen ciphertext secure cryptosystem in the real world is 
to add some redundancy to the encryption and provide a proof of consistency of 
the ciphertext. The most general form of the proof of consistency is via a non- 
interactive zero-knowledge proof system (NIZKs) [11,27,29,34], but there are also 
more specific methods [9,10]. Here too a cryptosystem with possible decryption 
errors may cause problems in the construction. Take for instance the method 
that is based on a pair of keys together with a NIZK of consistency (this is the 
one suggested by Naor and Yung [29] and also a subsystem of the Dolev, Dwork, 
and Naor scheme [11]). A central idea in the proof of security is that knowing 
any of several private keys is sufficient for the decryption, and which one (of the 
several) is known is indistinguishable to the adversary. However, if there is no 
unique decryption, then seeing which plaintext is returned may leak which key 
is known, and the proof of security collapses. 

Our Results 

We suggest methods for dealing with errors in both worlds described above: 

In the land of random oracles: We provide a generic and efficient method for 
converting any public- key cryptosystem where decryption errors may occur, but 
where an adversary cannot retrieve the plaintext of a randomly chosen message 
(sometimes known as one-way cryptosystem), into one that is secure against 
chosen ciphertext attack in the post-processing mode. This is done in Section 5. 

The real world: We show two transformations from cryptosystem with errors to 
ones without. When decryption errors are very infrequent, our transformation 
is extremely simple and efficient, almost free. The case of significant error prob- 
abilities is technically more involved. Our transformation for this case corrects 
even very weak encryption schemes where in addition to decryption errors, an 
adversary has substantial probability of breaking the scheme by decrypting ran- 
dom messages (without knowledge of the secret key). In other words, under these 
weak encryption schemes, the only guaranteed difference between the legitimate 
recipient (holder of the secret key) and the adversary is in the frequency of de- 
cryption errors: the legitimate recipient experiences fewer errors than does the 
adversary. 

To demonstrate the subtleties of this task, consider the case where the legit- 
imate recipient decrypts correctly with probability 9/10 (and let us assume for 
simplicity that otherwise he gets an error message), but the adversary decrypts 
correctly with probability 1/10. A natural approach is to use error correcting 
codes, setting the parameters in such a way that the legitimate recipient will 
have enough information to decode, whereas the adversary will get no informa- 
tion. This approach indeed works in the information theoretic counterpart of a 
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channel where the receiver gets the piece of information with certain probability 
and the eavesdropper with another. But it is not clear how to carry it through 
in the computational setting. Therefore, the solutions given in this paper use a 
different approach: we apply amplification techniques translated from the related 
information theoretic setting of [35]. We note that here, too, the computational 
setting introduces additional complications. 

The conclusion we reach is that once provided with noninteractive zero knowl- 
edge proof systems, one can convert essentially any public-key cryptosystem with 
decryption errors into one that is secure against chosen ciphertext attack in the 
postprocessing mode. 



Related Work: In addition to the work mentioned above we should point 
out two specific papers that converted an error-prone scheme into an error free 
one. Goldreich, Goldwasser and Halevi [18] showed how to eliminate decryption 
errors in the Ajtai-Dwork [1] cryptosystem. Our methods, especially those of 
Section 3, can be seen as a general way of achieving that goal. In the papers of 
Howgrave-Graham et al. [23,24] the problem of constructing an GGA-post-secure 
NTRU-based method in the random oracles world is considered. 

2 Preliminaries 

Notation and Conventions 

We will abbreviate “probabilistic polynomial time Turing Machine” with PPTM. 
We use the notation poly{-) to refer to some polynomially bounded function and 
neg{-) to refer to some function that is smaller than l/p(-) for any polynomial 
p(-) (for all sufficiently large inputs). For any integer n, we let C/„ denote the 
uniform distribution over {0,1}". We let the operation 0 on two bit-strings 
denote their bit-wise XOR. 

2.1 Public-Key Encryption Correctness 

A public-key encryption scheme consists of three probabilistic polynomial time 
algorithms (G, E, D), for key generation, encryption and decryption respectively. 
For simplicity we fix n to be both the security parameter and input length, and 
assume that the message space is {0, 1}". Algorithm G, for the key generation 
is given 1" as input (as well as internal random coins), and outputs the public 
key and secret key pair (pk,sk). We have that \pk\ = |sfc| = poly(ji). E and D 
are, respectively, the encryption and decryption algorithms. E takes as input a 
public key pk, an n-bit plaintext message to, and uses internal random coins. 
We refer to the output c G Epk{m) as the ciphertext. When we want to refer to 
E's additional poly{n)-long random input r explicitly, we will use the notation 
Epk{rn; r). Finally, D takes as input a secret key sk and a ciphertext. The output 
of D is either a message m' (which may fail to equal the original message to) or 
T to indicate invalid (we are deliberately not attaching semantics to a response 
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of “invalid” ) . The standard definition of public-key encryption schemes requires 
perfect correctness. Namely, that if the input c to Dgk is well constructed using 
Esk, then the output Dsk{c) is supposed to retrieve the original plaintext. We 
make this explicit in the next definition. 

Definition 1. A puhlic-key encryption scheme {G,E,D) is perfectly correct if 
the following holds: 

— For every message m of length n, for every pair {pk, sk) generated by G 
on input 1”, and all possible coin tosses of E and D, it should hold that 
Dsk{Epk{m)) = m. 

Although we allowed D to output _L we made no assumption on the probability 
of _L being the output in case the ciphertext is indeed invalid (where invalid 
means that there do not exist m and r such that c = Epk{m; r)). 

We now want to relax the notion of public key-encryption so as to allow 
decryption errors. We define an encryption scheme to be a-correct, if the prob- 
ability of decryption error is at most 1 — a. 

Definition 2. For any function a : N o public-key {G,E,D) encryp- 

tion scheme is a-correct if Pr[Dsk{Epk(jn)) yf m] < 1 — a{n), where the proba- 
bility is taken over the random coins of G used to generate {pk,sk) on input 1", 
over the choice of m € C/„, and over the random coins of E and D. 

In the above definition the error probability is taken over the random choice 
of the message (uniformly at random), the randomness of the encryption and 
decryption and the choice of the key. In particular, some keys may be completely 
useless as they don’t allow decryption at all. We now consider the case that 
the bound on the decryption error holds for all keys or for all but a negligible 
fraction of the keys. These definitions are relevant here for two reasons: (1) Our 
transformations will be a bit more efficient if we only try to immunize against 
this kind of errors. (In the sense that the key of the revised scheme will only 
include a single key of the original scheme.) (2) Our transformations will produce 
schemes that are “almost-all-keys perfectly correct” rather than perfectly correct 
encryptions. This means that decryption errors can only occur with a negligible 
probability over the choice of the key. Note that such errors are usually much 
less harmful, and in particular such schemes can be made non-malleable using 
“standard” techniques (unlike the case where errors may occur for a substantial 
fraction of the keys). 

Definition 3. Let (G, E, D) be any public-key encryption scheme and a : N 
[0, 1] an arbitrary function. 

— {G,E,D) is all-keys a-correct if for every pair (pk,sk) generated by G on 
input 1", Pr[Dsk{Epk{m)) yf m] < 1 — a{n), where the probability is taken 
over the choice of m € Un, and over the random coins of E and D. 
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— (G, E, D) is almost-all-keys a-correct if with probability (1 — neg(n)) over the 
random coins of G used to generate (pk,sk) on input 1", Pr[Dsk{Epk{m)) 
m\ < l — a{n), where the probability is taken over the choice ofm € Un, and 
over the random coins of E and D. 

— (G, E, D) is almost-all-keys perfectly correct if with probability (1 — neg{n)) 
over the random coins of G used to generate {pk, sk) on input 1", 
Pr[Dsk{Epk{m)) ^ m] = 0, where the probability is taken over the choice 
of m € Un, and over the random coins of E and D. 



2.2 Public-Key Encryption Security 

Semantic security [20] has established itself as essentially the minimal desired 
notion of security for encryption schemes. Intuitively, a public-key encryption 
scheme is semantically secure if anything that a polynomial-time adversary can 
compute about the plaintext m given the ciphertext c = Epk(jn), it can also 
compute without access to c. Semantic security was shown in [20] to be equiv- 
alent to the indistinguishability of ciphertexts, which intuitively means that ci- 
phertexts which correspond to different plaintexts are indistinguishable. Three 
basic modes of attack for which semantic security was considered are: chosen 
plaintext attack (which for public-key encryption essentially amounts to giving 
the adversary the public-key pk and allowing the adversary to decide the chal- 
lenge distribution), and chosen ciphertext attack in the preprocessing and the 
postprocessing modes (in both the adversary also gets access to a decryption 
oracle; in the preprocessing mode this access ends when the ciphertext challenge 
is published). Semantic security under these attacks is denoted IND-CPA, IND- 
CCA-Post and IND-CCA-Pre respectively. An even stronger notion of security 
than semantic security is that of non-malleability [11]. Intuitively, here the adver- 
sary should not even gain a (non-negligible) advantage in creating an encryption 
of a message that relates to m. Non malleability with respect to the above at- 
tacks is denoted NM-CPA, NM-CCA-Post and NM-CCA-Pre respectively. For 
the formal definitions of the above notions we rely on [1 1] . 

Both semantic security and non-malleability were originally defined for per- 
fectly correct encryption schemes. Nevertheless they are just as meaningful for 
schemes with decryption errors. Section 3 gives a very simple way of eliminating 
decryption errors (as long as they are very rare) while preserving each one of 
the above six notions of security. Section 4 shows how to immunize much weaker 
encryption schemes. Here decryption errors will be more likely (may even hap- 
pen with probability 1 — poly). In addition, we will make much weaker security 
assumptions: we will only bound the success probability of the adversary in “in- 
verting A” and completely retrieving the plaintext message m. (Therefore, the 
only advantage the legitimate recipient has over the adversary is in the proba- 
bility of decryption.) This notion of weak security is captured by the following 
definition. 



Definition 4. For any function /3 : iM i-^ [0, 1], a public-key encryption scheme 
is /?-one-way ((3-OW) if for every PPTM A, Pr[A{{Epk{m)) = m] < (3{n) 
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neg{n), where the probability is taken over the random coins ofG used to generate 
(pk,sk) on input 1”, over the choice of m € Un, and over the random coins of 
E and A. 

We note that unlike semantic security and non-malleability, this notion of secu- 
rity allows the encryption scheme E to be deterministic. 

Pseudorandom Generators One of the transformations of this paper uses pseu- 
dorandom generators as a main tool. A pseudorandom generator is a function 
prg : {0, 1}* i-^- {0, 1}* such that on n-bit input a;, the output prg{x) is l{n) > n 
bits long and such that prgfUn) is computationally indistinguishable from CA(„). 
See [17,16] for a formal definition. 

3 The Case of Infrequent Errors 

This section describes a very efficient way for eliminating decryption errors when 
errors are very rare. If errors are too frequent to apply this technique directly, 
then one can first apply the amplification methods described in Section 4. 

Let E be an encryption scheme where for every message m, the probabil- 
ity over the randomness r of E that Dsk{Epk(jn;r)) yf m is tiny. To correct 
this scheme we use the “reverse randomization” trick from the construction of 
Zaps [12] and commitment protocols [28] (which can be traced back to Laute- 
mann’s proof that BPP is in the polynomial time hierarchy [26]). The idea is 
very simple: by assumption, only a tiny fraction of “bad” random strings r lead 
to ciphertexts with decryption errors. Thus, we will arrange that the cipher- 
texts are constructed using only a rather small fraction of the possible values 
for r; the particular set of values will depend on the choice of public key. Very 
minimal independence in the selection of this subset will already assure that we 
are avoiding the bad strings with very high probability. In addition, the subset 
will be constructed to be pseudorandom, which will guarantee that the seman- 
tic security of the original scheme is preserved. Finally, the construction will 
ensure that the error probability is only on the choice of encryption key - if 
the encryption key is good, no ciphertext created with this encryption key will 
suffer a decryption error. The only significant computational cost incurred by 
this transformation is a single invocation of a pseudorandom generator (and in 
fact, this may already be performed to save on random bits, in which case the 
transformation is essentially for free). 

For simplicity we state the next construction (and the corresponding theo- 
rem) under the assumption that the decryption algorithm D is deterministic. 
In the case of chosen-plaintext attack (which is probably the most interesting 
setting of the theorem), this can be obtained simply by fixing the randomness of 
D as part of the key. The case of chosen-ciphertext attacks is a bit more delicate 
but still the construction can be easily extended to randomized D. 

Construction 31 Let {G,E,D) be any public-key encryption scheme. Let £(ji) 
be the (polynomially bounded) number of bits used by E to encrypt n-bit mes- 
sages. Without loss of generality assume that £{n) > n (as E can always ignore 
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part of its random input). Let prg be a pseudorandom generator that expands n 
bits to i{n) bits. 

Define the public-key encryption scheme {C ,E' ,D') as follows: on input 1", 
the generation algorithm G' outputs {{pk,f), sk) where {pk,sk) is obtained by 
invoking G on the same input and f G Uu^n) ■ On an n-bit input m, the encryption 
function E' uses an n-bit random string s and outputs Epk(jn;prg{s) 0 r). The 
decryption function D' is identical to D. 

Theorem 1. Let (G,E,D) be any (1 — 2“^") correct public-key encryption 
scheme with D being deterministic. Define {G',E',D') as in Construction 31. 
Then {G',E',D') is an almost- all-key perfectly correct public-key encryption 
scheme. Furthermore, if (G, E, D) is NN-AAA secure with NN-AAA G (LND- 
CPA, LND-CCA-Post, LND-CCA-Pre, NM-CPA, NM-CCA-Post, NM-CCA-Pre} 
then so is {G' ,E' ,D'). 

Proof. For any fixed value of f, the distribution prg{Un) 0 r is pseudorandom. 
Therefore, it easily follows that {G',E',D') is NN-AAA secure (otherwise we 
could construct a distinguisher that breaks the pseudorandom generator). 

It remains to prove the correctness of (G', E' , D'), i.e. that with high probabil- 
ity over the choice of keys the scheme is perfectly correct. First, with probability 
at least (1— 2“”) over the choice of {pk, sk), the value Prm,r[Dsk{Epk{nT, r)) yf m] 
is at most 2“^”. Assume that {pk, sk) satisfies this property. Since r is uniformly 
distributed we also have that Prm,s,r[Dsk{Epk{m; prg{s) 0f)) yf m] < 2“^". As 
m and s are only n-bit long, we get by a union bound that the probability over 
r that for some m and s a decryption error Dsk{Epk{m;prg{s) 0 f)) yf m will 
occur is at most 2“”. We can therefore conclude that for all but at most a 2“”+^ 
fraction of {G',E',D') keys {{pk,f),sk) the scheme is perfectly correct. 

Remark 1. The existence of the pseudorandom generator needed for Construc- 
tion 31, follows from the security of (G,E,D) (under any one of the notions 
considered by the theorem). This is because the security of (G,E,D) implies 
the existence of one-way functions [25] which in turn imply the existence of 
pseudorandom generators [22]. 

Consider the construction of [11] for NM-CCA-post secure public key cryp- 
tosystems. This requires (i) a perfectly correct public-key cryptosystem which is 
semantically secure against chosen plaintext attacks (ii) A non-interactive zero- 
knowledge (NIZK) proof system for NP (that is for some specific language in NP) 
(iii) other primitives that can be based on one-way functions. Furthermore, if 
we replace in that construction the perfectly correct cryptosystem with one that 
is almost-all-keys-perfectly-correct, then all that happens is that the resulting 
construction is also of a similar nature. Therefore we can conclude 

Corollary 2 // (1 — 2“^”)-correct public-key encryption schemes semantically 
secure against chosen plaintext attacks exist and NLZK proof system for NP 
exist, then almost- all-key perfectly correct public-key encryption schemes which 
are NM-CCA-post secure public key cryptosystems exist. 
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4 Immunizing Very Weak Encryption Schemes 

We now consider much weaker encryption schemes than in Section 3. Here the 
encryption may only be a-correct and /3-OW where a and [3 may be as small as 
1/poly. Naturally, a has to be larger than [3 as otherwise the legitimate recipient 
of a message will have no advantage over the adversary (and such a scheme is 
useless and trivial to construct). The transformation given here works under the 
assumption that (3 < /c for some fixed constant c. An interesting open problem 
is to give a transformation that works for even smaller gaps. Nevertheless, as we 
discuss below, having the transformation work for a gap j3 — a that is larger than 
an arbitrary constant, may involve improving the corresponding transformation 
in the related information-theoretic setting of [35] . 

4.1 Polarization in the Statistical Setting 

Sahai and Vadhan [35] , give an efficient transformation of a pair of distributions 
(Ao, Xi) (encoded by the circuits that sample them) into a new pair of distribu- 
tions {Yo,Yi). The transformation “polarizes” the statistical distance between 
Xq and Xi. If this distance is below some threshold (3' then the statistical dis- 
tance between Yq and Yi is exponentially small. If on the other hand the distance 
between Xg and Xi is larger than another threshold a' then the statistical dis- 
tance between Yq and Yi is exponentially close to 1. The condition for which 
this transformation works is that f3' < a'^. 

What is the relation between this problem and ours? Consider an a-correct 
and /3-OW encryption scheme, for one-bit messages. Let Xq be the distribu- 
tion of encryptions of 0 and Xi the distribution of encryptions of 1. Intuitively 
we have that the legitimate recipient can distinguish these distributions with 
advantage a — (1 — a) = 2a — 1 (recall that a > 1/2), while the adversary can- 
not distinguish the distributions with advantage better than 2/3 — 1 < 2a — 1. 
Our transformation produces a new encryption scheme; let Yq and Y\ be the 
corresponding distributions. We now have that the ability of the adversary to 
distinguish between Yq and Yi shrinks (to negligible), whereas the legitimate 
recipient distinguishes with probability that is exponentially close to 1. In fact, 
this intuitive similarity can be formalized to show that any transformation in the 
computational setting that is “sufficiently black box” implies a transformation 
in the statistical setting. This in particular implies that for our transformations 
to work for any constant gap a — /3, we may need to improve the transformation 
of [35] (or to use non black-box techniques). 

What about the other direction? It seems much harder in general to translate 
transformations from the statistical setting to the computational one. Neverthe- 
less, the transformations given in this section are heavily influenced by [35]. 
However, the computational versions of the amplification tools used in [35] are 
significantly weaker, which imposes additional complications and implies some- 
what weaker bounds than those of [35] . 
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4.2 Tools and Basic Transformations 

To improve an a-correct and /3-OW encryption scheme (G,E,D), we will use 
three basic transformations: 

Parallel Repetition The encryption of a fc-tuple of messages rrii, . . . ,mk 
will be defined as . . . ,mk) = E{mi), . . . , E{mk)- A negative effect 

of this transformation is that the probability of correct decryption of the 
entire /c-tuple is reduced to The gain of the transformation is that the 
probability of the adversary to break the one-wayness of E^ will also decrease 
below [3 (usually in an exponential rate as well). To bound this probability 
we apply a result of Bellare et al. [4] on the amplification of games in parallel 
execution. To conclude, this transformation makes decryption harder both 
for the legitimate recipient and for the adversary. As the adversary has a 
weaker starting point (success probability /? <C a), it will be hurt more by 
the transformation. 

Hard Core Bit Here we will transform an encryption scheme for strings to one 
that encrypts single bits. This will employ a hard core predicate in a rather 
standard fashion. The gain from this transformation is in turning the one- 
wayness of an encryption scheme into indistinguishability (which is easier to 
work with and is also our final goal). 

Direct Product The encryption of a message m will be the concatena- 
tion of k independent encryptions of m under E. This transformation has the 
reverse affect to E *^ : Decryption becomes easier both for the legitimate recip- 
ient and for the adversary. As the legitimate recipient has a better starting 
point (success probability a 3> /?), it will gain more by the transformation. 

In the formal definition of E^ and we use independently generated keys 
for each one of the invocations of E by these schemes. This is necessary as a large 
fraction of the keys of E may be completely useless (i.e., do not allow decryption 
at all or completely reveal the message) . So in order to amplify the security and 
correctness, we should use more than a single key. This can be avoided if we 
assume that (G, E, D) is a-correct and (3-OW even after we fix the key of E (for 
all but negligible fraction of the keys). In such a case, the transformations of 
this paper will become much more efficient (in terms of key size) . We now turn 
to the formal definition of the basic transformations. 



Parallel Repetition 

Definition 5. Let (G,E,D) be any public-key encryption scheme, and let k : 
N 1 -^ N be any polynomially bounded function. Define {G^,E^,D^) as follows: 
On input 1”, the key-generating algorithm G^ invokes G, with input 1", k = k{n) 
times using independent random coins for each invocation. The output of G^ is 
{pk, sk) where pk = pk\, . . .pkk, sk = ski, ■ ■ ■ skk, and {pki, ski) is the output of 
G in its i*^ invocation. On input fh = mi, . . .mk the output Ek^{m) is defined 
by E^^{m) = Epk„{mi), . . . Epk,.{mk), where the k encryptions are performed 




352 Cynthia Dwork, Moni Naor, and Omer Reingold 



with independent random coins. Finally, on input c = c\,...Ck, the decryption 
algorithm tries to decrypt each Ci by applying (cj). It outputs _L if one 
of these invocations of D returned _L and otherwise outputs the sequence 
Ft ski (^l) ■ ■ ■ Ft skk (cfc) ■ 

Lemma 1. Let (G,E,D) be any public-key encryption scheme, and let k : N 
N be any polynomially bounded function. If (G,E,D) is a-correct and [3-OW 
with P < 1 — 1/poly, then {G^,E^,D^) is -correct and P' -OW for any P' > 
1/poly that satisfies P' > 32/(1 — P) ■ ^ 

Proof. The correctness of {G^,E^,D^) follows immediately from the definition. 
The security is much more delicate. Fortunately, it can be obtained as a simple 
corollary of a theorem of Bellare, Impagliazzo, and Naor regarding error proba- 
bility in parallel execution of protocols of up to three rounds ([4] Theorem 4.1). 
Thus, we need to translate the breaking of (G^, E^, D^) into winning the parallel 
execution of a game that is composed of at most three messages. Specifically, 
consider the following game between P and (an honest) V, where V invokes G 
to select (pk,sk), it selects a uniform message m and sends pk and Epk{m) to 
P. In return, P sends a message m! and wins if m = m' . From the one-wayness 
of (G, E, D) we get that the best efficient strategy of P can win with probabil- 
ity at most P -\- neg. Note that the probability of winning the fc-times parallel 
repetition of this game is the same as breaking the one-wayness of (G^, E^ , D^). 
The lemma now follows from Theorem 4.1 of [4]. 



Hard Core Bit 

For concreteness we will use the Goldreich-Levin (inner product) bit [19]. This 
could be replaced with hard-core bits implied by other error-correcting codes 
that have strong list-decoding properties. 

Definition 6. Let {G,E,D) be any public-key encryption scheme, where the en- 
cryption function operates on plaintexts of length I > 1, and let k : N N be 
any polynomially bounded function. Define (G®,E®,D®) as follows: G® is sim- 
ply identical to G. On a one-bit message a, the encryption function E^f. samples 
two l-bit strings m and r uniformly at random and outputs Epk(jn),r, (m, r) 0cr, 
where {m,r) is the inner product of m and r (mod 2). On input c,r,a' the de- 
cryption function Zl®^, evaluates m' = Dpkic). If m' yf T, then Zl®^ outputs 
{m',r) 0 a', otherwise Zl®^ outputs a random bit. 



Lemma 2. Let (G,E,D) be any public-key encryption scheme. If (G,E,D) is 
a-correct and P-OW, then {G®,E®, ZD®) is {1 / 2 -\- a/ 2) -correct and l/20O(v/d)- 
OW. In particular, if P is negligible then {G® , E® , D®) is IND-CPA secure. 

Proof. For correctness, note that if to' = Dpkic) = m (as in Definition 6), then 
ZD®^ decrypts correctly with probability one. Otherwise ZD®^ decrypts correctly 
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with probability half (since the probability over r that for any m' m we have 
that {m',r) = {m,r) is half). We can therefore conclude that the probability of 
correct decryption is at least a • 1 + (1 — a) • 1/2 = 1/2 + a/2. 

For security, let us first assume that f3 is negligible. In this case (G® , if®, H®) 
is (l/2)-OW and equivalently is IND-CPA secure. Assume for the sake of contra- 
diction that there exists an efficient adversary that decrypts ii®^, with probability 
1/2-1- 1/poly without access to sk. In this case, there is an efficient adversary 
that given Epk{m) and r guesses {m,r) with probability 1/2-1- 1/poly. Now we 
obtain from [19] that there exists an efficient adversary that given Epk{m) out- 
puts m with probability 1/poly. This contradicts the assumption that (G, E, D) 
is neg-OW. 

Finally, let us consider the case where j3 is non-negligible. Assume for the 
sake of contradiction that there exists an efficient adversary that decrypts Zl®^, 
with probability 1/2 -|- e, where e = c • for some large constant c (note that 
e > 1/poly). This again implies the existence of an efficient adversary that given 
Epk(rn) and r guesses {m,r) with the same probability. Using a tight enough 
version of the reconstruction algorithm for the Goldreich-Levin hard-core bit , we 
can conclude that there exists an efficient adversary that given Epk (to) computes 
a list of 0(l/e^) candidates that include to with probability 1/2. This means that 
this adversary can also guess to with probability G(e^) which can be made say 2/3 
by setting the constant c to be large enough. This contradicts the /3-one-wayness 
of (G, E, D) and completes the proof of the lemma. 



Direct Product 

Definition 7. Let (G,E,D) be any public-key encryption scheme, and let k : 
N 1 -^ N be any polynomially bounded function. Define (G®^=^ £)®^) as fol- 

lows: On input 1", the key-generating algorithm G®^ invokes G, with input 1", 
k = k{n) times using independent random coins for each invocation. The output 
of G’^^ is (pk,sk) where pk = pk\, . . .pkk, sk = sk\, . . . skk, and (pki,ski) is 
the output of G in its invocation. On input m the output E'^^{m) is defined 

by E’^^ (to) = Epki (jn), . . . Epk^, (jn), where the k encryptions are performed with 
independent random coins. Finally, on input c = ci, . . .Ck, the decryption algo- 
rithm tries to decrypt each Ci by applying Dgkiici). It outputs the value that 
is obtained the largest number of times (ties are resolved arbitrarily). 

We will use the direct product transformation only for encryptions of single 
bits. In this case, it is convenient to express correctness and security in terms of 
the advantage over half. 

Lemma 3. Let (G, E, D) be any public-key encryption scheme over the mes- 
sage space {0, 1}, and let k : N N be any polynomially bounded function. 
If {G,E,D) is (1/2 -h a)-correct and (1/2 -h /3)-OW, then , E®^ , D®'=) 

is (1/2 -I- k/3)-OW and for every e > 0, it is (1 — e)-correct as long as k > 
c ■ 1/a^ ■ log 1/e for some fixed constant c. 
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Proof. The one-wayness of ^ ^ is obtained by a standard hybrid 

argument. Correctness is also simple to show using Chernoff bound. We note that 
we assume here that decryption errors occur with roughly the same probability 
for encryptions of zero and encryptions of one. For example, it is sufficient to 
assume that both Pr[Dsk{Epk{ 0 )) = 0] > 1/2-1- a/2 and Pr[Dsk{Epk{l)) = 1] > 
1/2 -I- a/2. This is with no loss of generality as biases of D (towards outputting 
zero or towards one) can always be corrected. 

4.3 Combining the Basic Transformations 

The three basic transformations defined above can be combined in various ways 
to improve a-correct and /3-OW encryption schemes. The most efficient com- 
bination depends on the particular values of a and (3. We will not attempt to 
optimize the efficiency of our transformations but rather to demonstrate their 
effectiveness. For that we consider two settings of the parameters: (1) (3 \s an ar- 
bitrary constant smaller than one and a is also a constant smaller than one (that 
depends on j3). (2) a is as small as 1/poly and (3 is non-negligible {(3 = I7(a^)). 

Constant Decryption Errors 

Theorem 3. For any constant (3 < 1 there exists a constant a < 1 such that 
if there exists an a-correct and (3-OW puhlic-key encryption scheme then there 
exists an almost- all-keys perfectly- correct IND-CPA secure puhlic-key encryption 
scheme. 

Proof. Set a to be a constant such that < a® and let {Gq, Eq, Dq) 

be an a-correct and /3-OW public-key encryption scheme. Define the following 
systems: 

— (Gi, El, Di) = (Gn^EnbUnM where ki = loga(l/n). Lemma 1 implies that 
{Gi,Ei,Di) is (l/n)-correct and 0(l/n»)-0W. 

— (G 2 , E 2 , D 2 ) = {Gf,Ef’, of). Lemma 2 implies that (G 2 , E 2 , D 2 ) is (1/2 -|- 
n/2)-correct and (1/2 -|- 0(l/n^))-0W. 

~ (G 3 ,E 3 ,D 3 ) = {G®^\E®'^\D®^^) where k 2 = 0{n^), for which Lemma 3 
implies that {G 3 , E 3 , D 3 ) is (1 — 2“®”)-correct and (1/2 -|- 0(l/n))-0W. 

— {G 4 , E 4 , D 4 ) = (Gg , Eg , Dg). Lemma 1 implies that {Gi, Ei, Di) is (1 — 
2-5")"-correct, which means that it is also (1 — n • 2“®”)-correct. In addition 
it is (l/p)-OW for any polynomial p. Thus it is also neg-OW. 

— {G 5 , E 5 , D 3 ) = {G® , E® , D®). Lemma 2 implies that {G 3 , E 3 , D 5 ) is (1 — 
(n/2) • 2“®”)-correct and IND-CPA secure. 

Theorem 3 now follows as a corollary of Theorem 1. 

Very Frequent Decryption Errors 

Theorem 4. There exists some positive constant c such that for any functions 
a > 1/poly and (3 < / c the following holds: If there exists an a-correct and f3- 

OW puhlic-key encryption scheme then there exists an almost- all-keys perfectly- 
correct IND-CPA secure puhlic-key encryption scheme. 
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Proof. Let (Go, Eq, Dq) be an a-correct and /3-OW public-key encryption scheme. 
The conditions of the theorem imply that it is also (a"^/c)-OW. 

Define {Gi, Ei, Di) = (Gq , if® , ). Lemma 2 implies that (Gi,ifi,ili) is 

(1/2 -I- a/2)-correct and (1/2 -|- 0(a^/-v^))-0W. 

Define {G 2 , E 2 , D 2 ) = (Gf iff Df ^). For any constant e > 0 we can 
let k = 0(l/a^) (with the constant hidden in the big O notation depending 
on e), such that Lemma 3 will imply that {G 2 , E 2 , D 2 ) is (1 — e)-correct and 
(1/2-1- 0(l/>/c))-0W. Setting c to be a large enough constant implies that 
(G 2 , if 2 , D 2 ) is (3/4)-OW. In other words, for any constant e > 0, if c is a large 
enough constant, there exists a (1 — e)-correct and (3/4)-OW encryption scheme. 
Theorem 4 now follows as a corollary of Theorem 3. 

4.4 Conclusion Obtaining Non-malleability 

As discussed in the introduction, one of the main motivations in dealing with 
decryption errors is obtaining non-malleability and chosen ciphertext security. 
As with Corollary 2 we now get from Theorem 4 the following corollary. 

Corollary 5 There exists some positive constant c such that for any functions 
a > 1/poly and (3 < o^/c the following holds: If there exists an a-correct and 
P~OW puhlic-key encryption scheme and NIZK proof system for NP exist, then 
there exists an almost- all-keys perfectly- correct NM-CCA-post secure puhlic-key 
encryption scheme. 

5 Dealing with Errors Using Random Oracles 

In this section we provide an integrated construction for transforming error-prone 
public-key encryption schemes with some negligible probability of error that 
are not necessarily secure against chosen ciphertext attacks into schemes that 
enjoy non-malleability against a chosen ciphertext attack of the post-processing 
kind. The advantage over the construction of Section 3 is that it works for any 
negligible probability of error (no need to first decrease the error probability to 
2 “^(”) where n is the message length). 

Let (G, if, D) be a public-key encryption scheme that for public key pk maps 
a message m G {0, 1}" and random coins string r G {0, 1}^ into a ciphertext 
c = Epk{m, r) (since we may start with a scheme that is not necessarily seman- 
tically secure, we consider also the case of deterministic encryption, so I may 
be 0). We assume without loss of generality that the decryption algorithm D is 
deterministic®. The properties that we assume E satisfies are: 

a correctness and few bad pairs For a random message m and random r 
we have Pr[Dsk(Epk(m,r)) yf to] < 1 — a(n), where 1 — a(n) is negligi- 
ble. The probability is over the choice of to, r. We call a pair (to, r) where 
Dsk{Epk{m,r)) yf to a bad pair. The set of bad pairs is sparse in {0, 1}"+^ 

® This may justified, for instance by applying a pseudo-random function to the message 
in order to obtain the random bits and adding the seed of the function to the secret 
key. 
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One-wayness For any polynomial time adversary A and for c = Epk{m,r) for 
random m and r we have Frm,r[A{c,pk) = m] is negligible. In other words, 
E is O-OW. 

In addition to the public-key cryptosystem E satisfying the above condi- 
tions, we require (i) a shared- key encryption scheme Es which is NM-CCA- 
post secure. The keys S are of length k bits. Note that such schemes are easy 
to construct from pseudo-random functions (see [11]); and (ii) Four functions 
Hi : {0, l}"/2 {0, l}"/2, H 2 : {0, l}”/^ {0, l}"/^^ H 3 : {0, l}"/^ {q, 1}^ 

and H 4 : {0, 1}”/^ i-^- {0, 1}^ which will be modelled as ideal random functions. 
We assume that n is sufficiently large so that 2”/^ is infeasible. 

Construction 51 Let (G, E, D) be a public-key encryption scheme, Hi, H 2 , H 3 , 
Hi be idealized random functions as above and Es be shared-key encryption 
scheme as above. 

Generation G' operates the same as G and generates a public key pk and secret 
key sk. 

Encryption A': G/ioose t {0, 1}”/^. Compute z = Hi{t) and w = H 2 {z)®t 
and r = H^^zow). The encrypted message is composed of two parts (ci,C 2 ).' 
— The generated ci = Epk{z o w, r) 

— The plaintext m itself is encrypted with the shared-key encryption scheme 
Es with key s = Hi{t), i.e. C 2 = Fs{m). 

Decryption D': Given ciphertext (ci,C 2 ): 

1. Apply D to Cl and obtain candidates for z and w. Set t = H 2 {z)®w and 
r = H^^z o w). 

2. Check that Hi{t) = z and that for r = H^i^z o w) we have that ci = 
E{z o w,r). 

3. Check, using s = Hi{t), that C2 is a valid ciphertext under Eg. 

4- If any of the tests fails, output invalid (E). Otherwise, output the de- 
cryption of C 2 using s. 

Note that once t € {0, 1}”/^ has been chosen, there is unique ciphertext 
(ci, C 2 ) generated from t and encrypting m, which we denote E'^^{m, t). Further- 
more, for any ciphertext, once the corresponding t G {0, 1 }"G jg known, it is 
easy to decrypt the ciphertext without access to sk. This is the key for obtain- 
ing security against chosen ciphertext attacks (since it is possible to follow the 
adversary calls to Hi). 

Why does this process immunize against decryption errors? The point is not 
that the decryption errors have disappeared, but that it is hard to find them. We 
can partition all strings (of length equal to \Epk{z o w,r)\) into those that are in 
the range of E (i.e., such that there exist m and r such that the string is equal 
to Epk(jn,r)) and those that are not. Consider a candidate ciphertext (ci,C 2 ) 
that is given to the decryption procedure D' . If the prefix of the ciphertext (i.e. 
Cl) is not in the range of E, then it is going to be rejected by D' (at Step 2). 
So the security rests on the hardness of finding among the bad pairs (z o w, r) 
one where r = Hs(z o w) and Hi{H 2 {z) (B w) = z. This is difficult for any fixed 
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(but sparse) set of bad pairs and a random set of functions Hi,H2, and H3 
even for an all powerful adversary who is simply restricted in the number of 
calls to -ffi, H2, and H^. In particular, as we will explain, if there are qi calls to 
Hi and Q2 calls to H2 then the probability that the adversary finds a bad pair 
that passes the test is bounded by (71(1 — a) + <7152/2”/^. The first term comes 
from the “natural” method for constructing a pair that satisfies the constraints: 
Choose an arbitrary y. Apply Hi to y and call the result 2, so that z = Hi{y). 
Define w = H2{z) 0 y. Then r = H^{z o w), and we have the pair (z o w,r) 
satisfying the necessary constraints. Note that the pair is completely determined 
by y, once the random oracles are fixed, and the pair is random, because the 
oracles are random. So for any method of choosing y the probability of hitting 
a bad pair is (1 — a). This gives us the first term. For the second term, suppose 
during its history the adversary invokes H2 a total of <72 times, say, on inputs 
xi,X2, - ■ ■ , Xq^ . Let y be arbitrary. Define Wi = y (B H2{xi), for i = 1 , . . . , (72- We 
now check to see if Hi{y) G {xi, . . . ,Xq^}. Suppose indeed that Hi{y) = Xi (an 
event that occurs with probability at most <72/2"/^). Let z = Xi. Then we have 
that z = Hi{y) = Hi{wi 0 H2{xi)) = Hi{wi 0 H2{z)). We let r = H^{z 0 Wi) 
and again we have a pair satisfying the constraints. The total number of pairs 
we can hope to generate this way is (71(72/2”/^. 

Why does this process protect against chosen ciphertext attacks? This is 
very much for the same reason that the Fujisaki-Okamoto [14] scheme is secure. 
Note that hardness of finding a bad pair is true also for someone knowing the 
private key sk of E, that is even the creator of the cryptosystem cannot find a 
bad pair. Therefore, even under a chosen ciphertext attack w.h.p. a bad pair will 
not be found. So w.h.p. on all queries given during the attack there is only one 
response. Furthermore, this response can be given by someone who is aware of 
the attacker’s calls to Hi (by going over all candidates for t). The addition of 
the function H4 and the shared key scheme F$ transforms the system from a 
one-way scheme into one that is non-malleably secure against chosen ciphertext 
attacks. From these sketched arguments we get: 

Theorem 6. If{G,E,D) is {1 — neg)- correct and neg- one-way then {G',E',D') 
is (1 — neg)-correct and NM-CCA-post secure. 



6 Conclusions and Open Problems 

We have shown how to eliminate decryption errors in encryption schemes (and 
even handle non-negligible success probability of the adversary) . It is interesting 
to note that sometimes such ambiguity is actually desirable. This is the case 
with deniable encryption [7], where the goal is, in order to protect the privacy 
of the conversation, to allow a sender to claim that the plaintext corresponding 
to a given ciphertext is different than the one actually sent. 

As discussed in Section 4, an interesting open problem is to give a transfor- 
mation that deals with a-correct and /?-OW encryption schemes when the gap 
between a and f 3 is very small. For example, we may hope to have /? — a be an 
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arbitrary constant or even 1/poly. Nevertheless, as discussed there, having such a 
strong transformation may involve improving the corresponding transformation 
in the related information-theoretic setting of [35] . 
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Abstract. The DifBe-Hellman (DH) transform is a basic cryptographic 
primitive used in innumerable cryptographic applications, most promi- 
nently in discrete-log based encryption schemes and in the Diflie-Hellman 
key exchange. In many of these applications it has been recognized that 
the direct use of the DH output, even over groups that satisfy the strong 
Decisional Diflie-Hellman (DDH) assumption, may be insecure. This is 
the case when the application invoking the DH transform requires a value 
that is pseudo-randomly distributed over a set of strings of some length 
rather than over the DH group in use. A well-known and general solution 
is to hash (using a universal hash family) the DH output; we refer to this 
practice as the “hashed DH transform” . 

The question that we investigate in this paper is to what extent the 
DDH assumption is required when applying the hashed DH transform. 
We show that one can obtain a secure hashed DH transform over a non- 
DDH group G (i.e., a group in which the DDH assumption does not hold); 
indeed, we prove that for the hashed DH transform to be secure it suffices 
that G contain a sufficiently large DDH subgroup. As an application of 
this result, we show that the hashed DH transform is secure over Z* for 
random prime p, provided that the DDH assumption holds over the large 
prime-order subgroups of Zp. In particular, we obtain the same security 
working directly over Z* as working over prime-order subgroups, without 
requiring any knowledge of the prime factorization of p — 1 and without 
even having to find a generator of Zp . 

Further contributions of the paper to the study of the DDH assumption 
include: the introduction of a DDH relaxation, via computational en- 
tropy, which we call the “t-DDH assumption” and which plays a central 
role in obtaining the above results; a characterization of DDH groups 
in terms of their DDH subgroups; and the analysis of of the DDH (and 
t-DDH) assumptions when using short exponents. 



1 Introduction 

The DifRe-Hellman Transform and DDH Assumption. The Diffie-Hell- 
man transform is one of the best-known and fundamental cryptographic primi- 
tives. Its discovery by Whitfield Diffie and Martin Heilman [DH76] revolutionized 
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the science of cryptography and marked the birth of Modern Cryptography. Even 
today, almost 30 years later, the DH transform remains the basis of some of the 
most widely used cryptographic techniques. In particular, it underlies the Diffie- 
Hellman key exchange and the ElGamal encryption scheme [E1G85] , and is used 
over a large variety of mathematical groups. In its basic form the Diffie-Hellman 
(or DH for short) transform maps a pair of elements 5“, drawn from a cyclic 
group G generated by the element g into the group element^ . The usefulness 
of this transform was originally envisioned under the conjecture, known as the 
Computational Dijjie- Heilman (CDH) assumption, that states the infeasibility 
of computing the value g°“^ given only the exponentials g°“ and g^ . Namely, the 
value should be computable only by those knowing one of the exponents 
a or b. Note that the CDH assumption implies the difficulty of computing dis- 
crete logarithms over the group G (the converse, however, is unknown for most 
practical groups). 

Over time it was realized that the CDH assumption is insufficient to guaran- 
tee the security of most DH applications (in particular those mentioned above) . 
For this reason a much stronger assumption was introduced: the Decisional 
Diffie-Hellman (DDH) assumption postulates that given the values and g^ not 
only it is computationally hard to derive the value but even the seemingly 
much easier task of distinguishing 3“** from random group elements is infeasible 
[Bra93] (see [Bon98] for a survey on the DDH assumption) . On the basis of this 
assumption one can consider the DH transform as a good generator of pseu- 
dorandomness as required in key-exchange, encryption and other cryptographic 
applications. Hereafter we refer to groups in which the DDH assumption holds 
as DDH groups. The need to rely on the DDH disqualifies many natural groups 
where the assumption does not hold. For example, any group whose order is di- 
visible by small factors, such as the classic groups Z* of residues modulo a large 
prime p; in this case the group’s order, p — 1, is always divisible by 2 and thus 
the DDH assumption does not hold. Moreover, for randomly generated primes 
p, p — 1 has (with very high probability) additional small factors. Due to the 
perceived need to work over DDH groups it is often recommended in the crypto- 
graphic literature that one work over subgroups of large prime order where no 
attacks are known on the DDH assumption. 

The Need for Hashing the DifRe-Hellman Result. Interestingly, the DDH 
assumption, while apparently necessary, turns out to be insufficient for guaran- 
teeing the security of some of the most basic applications of the DH transform. 
Consider for example the ElGamal encryption scheme: Given a public key y = g°‘ 
(for secret a), a message m G G is encrypted by the pair {g^ ,my^) where the 
value b is chosen randomly anew for each encryption. In this case, the DDH 
assumption guarantees the semantic security ([GM84]) of the scheme (against 
chosen-plaintext attacks) provided that the plaintexts m are elements of the group 
G. However, if the message space is different, e.g. the set of strings of some length 



® Here we use the exponential notation that originates with multiplicative groups but 
our treatment applies equally to additive groups such as Elliptic Curves. 
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smaller than log(|G|)), then the above encryption scheme becomes problematic. 
First of all, you need to encode messages m as group elements in G and that 
could be cumbersome. If G is a subgroup of prime order ol Z*, & naive (and 
common) approach would be to trivially encode m as an integer and perform 
the multiplication my^ modulo p. But now the scheme is insecure even if the 
group G does satisfy the DDH assumption. A good illustration of the potential 
weaknesses of this straightforward (or “textbook”) application of ElGamal is 
presented in [BJNOO]. It is shown that if the space of plaintexts consists of ran- 
dom strings of length shorter than |G| (e.g., when using public key encryption to 
encrypt symmetric keys) the above scheme turns out to be insecure even under 
a ciphertext-only attack and, as said, even if the group G is DDH. For example, 
if the plaintexts to be encrypted are keys of length 64, an attacker that sees 
a ciphertext has a significant probability of finding the plaintext with a work 
factor in the order of 2^^ operations and comparable memory; for encrypted keys 
of length 128 the complexity of finding the key is reduced to 2®^. 

A general and practical approach to solving these serious security weaknesses 
is to avoid using the DH value itself to “mask” m via multiplication, but rather 
to hash the DH value to obtain a pseudorandom key K of suitable length 
which can then be used to encrypt the message m under a particular encryption 
function (in particular, K can be used as a one-time pad). In this case the hash 
function is used to extract the (pseudo) randomness present in the DH value. 
Suitable hash functions with provable extraction properties are known, for ex- 
ample universal hash functions [CW79,HILL99]. The above considerations are 
common to many other applications of the DH transform, including encryption 
schemes secure against chosen-ciphertext attacks [CS98] and, most prominently, 
the Diffie-Hellman key-exchange protocol (in the latter case one should not use 
the DH output as a cryptographic key but rather derive the agreed shared keys 
via a hashing of the DH result); see Section 3.2 for a discussion on how these 
applications choose a random hash function out of a given family. For addi- 
tional examples and justification of the need for hashing the DH output see 
[Bon98,NR97,CS98,ABR01]. In the sequel we refer to the combination of the 
DH transform with a (universal) hash function as the hashed DH transform. 



1.1 Our Results 

The Security of the Hashed DH Transform over non-DDH Groups. 

In light of the need to hash the DH value, some natural questions arise: when 
applying the hashed DH transform, is it still necessary to work over groups where 
the DDH assumption holds, or can this requirement be relaxed? Can one obtain 
a secure (hashed) DH transform over a non-DDH group, and specifically, is doing 
hashed DH over Z* secure? In this paper we provide answers to these questions. 
Our main result can be informally stated as follows: For any cyclic group G, 
applying the hashed DH transform over G has the same security as applying 
the hashed DH transform directly over the maximal DDH subgroup of G. In 
particular, one can obtain secure applications of the hashed DH transform over 
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non-DDH groups; the only requirement is that G contain a (sufficiently large) 
DDH subgroup (see below for the exact meaning of “sufficiently large” and other 
parameter size considerations) . A significant point is that we are only concerned 
with the existence of such a subgroup; there is no need to know the exact size 
or structural properties of, nor to be able to construct, this specific (maximal) 
DDH subgroup. 

A particularly interesting consequence of the above result is that assuming 
that DDH holds on large subgroups of Z* (we will see later that it is sufficient 
to assume that DDH holds on large prime-order subgroups of Z*), one can build 
secure (hashed) DH applications working directly over Z*, where p is an uncon- 
strained random prime. Only the length of the prime is specified, while other 
common requirements such as the knowledge of the partial or full factorization of 
p — 1, insisting that p — 1 has a prime factor of a particular size, or disqualifying 
primes for which (p — l)/2 has a smooth part, are all avoided here. Moreover, 
we show that there is no need to find a generator of Z*] instead we prove that 
a randomly chosen element from Z* will span a (probably non-DDH) subgroup 
with a large enough DDH subgroup. In particular, the DH security is preserved 
even if the order of the chosen element has small factors or if it misses some 
prime divisors of p — 1. Note that avoiding the need to find a generator for Z* 
allows us to work with primes p with unknown factorization of p — 1 (which is 
otherwise required to find a Z* generator). 

The t-DDH Assumption. In order to prove our main result (i.e., that the 
hashed DH transform is secure over any group G, not necessarily a DDH group, 
that contains a large enough DDH subgroup), we introduce a relaxation of the 
DDH assumption which we call the t-DDH assumption. Informally, a group G 
satisfies the t-DDH assumption (where 0 < t < |G|) if given the pair 
(where g is a generator of G) the value g®** contains t bits of computational en- 
tropy. The notion of computational entropy, introduced in [HILL99], captures 
the amount of computational hardness present in a probability distribution. In 
other words, we relax the “full hardness” requirement at the core of the DDH 
assumption, and assume partial hardness only. Moreover, we do not care about 
the exact subsets of bits or group elements where this hardness is contained, but 
only assume their existence. On this basis, and using the entropy-smoothing the- 
orem from [HILL99] (also known as the leftover hash lemma), we obtain a way to 
efficiently transform (via universal hashing) DH values over groups in which the 
t-DDH assumption holds into shorter outputs that are computationally indistin- 
guishable from the uniform distribution. The maximal length of (pseudorandom) 
strings that one can obtain as output from the hashed DH transform depends 
on the maximum value of t for which the t-DDH holds in G. In particular, in 
order to be 2“^-computationally close to uniform one can output up to t — 2k 
pseudorandom bits (e.g., to produce 128-bit keys with a security parameter of 
k = 80 the group G should be 288-DDH, while for k = 128, G is to be 384-DDH). 

After defining the t-DDH assumption and showing its usefulness in extracting 
random bits from t-DDH groups, we show that if G contains a DDH subgroup of 
order m then G is \m\-DDH. This forms the basis for our main result as stated 




Secure Hashed Difiie-Hellman over Non-DDH Groups 



365 



above. Indeed, it suffices that G has a suitably large-order DDH subgroup to 
ensure that hashing the DH output results in pseudorandom outputs of the 
required length. Again, it is important to stress that we do not need to know 
the specific DDH subgroup or its order, only (assume) its existence. 

A Direct Product Characterization of the DDH Assumption. A further 
contribution of our work is in providing a characterization of the DDH assump- 
tion in a given group in terms of its DDH subgroups. Specifically, we show that 
a group is DDH if and only if it is the direct product of (disjoint) prime power 
DDH groups. In other words, a group G is DDH if and only if all its prime 
power subgroups are DDH. Moreover, for any cyclic group G, the maximal DDH 
group in G is obtained as the product of all prime power DDH subgroups in 
G. Beyond its independent interest, this result plays a central role in our proof 
that the hashed DH transform over Z* is secure as long as the DDH assumption 
holds in the subgroups of Z* of large prime order. In particular, this allows us to 
expand significantly the groups in which one can work securely with the hashed 
DH transform without having to strengthen the usual assumption that DDH 
holds in large prime order subgroups. 

Some Practical Considerations. Beyond the theoretical interest in under- 
standing the role of the DDH assumption and proving the usefulness of relaxed 
assumptions, our results point out some practical issues that are worth dis- 
cussing. In this respect, one significant contribution is the justification of the use 
of non-DDH groups in applications of DH that hash their output. It needs to be 
noted that in spite of an extensive crypto literature regarding the use of prime 
order subgroups for performing DH, many real-world instantiations of this primi- 
tive work over non-DDH groups (e.g. Z*). Examples include the widespread SSH 
and IP sec standards. Interestingly, the latter has standardized a set of groups 
for use with the IKE Diffie-Hellman key-exchange protocols [RFC2409] , none of 
which constitute a DDH group. However, since the IKE protocol takes care of 
hashing the output of the DH transform before generating the cryptographic keys 
(see [Kra03]), then our results serve to justify the security of this mechanism^. 

In addition, and as pointed out before, our results also show that under the 
sole assumption that the DDH holds in groups of large prime order one can work 
directly over Z* for a random prime p, without having to know the factorization 
of p — 1 and without having to find a generator of Z*. Moreover, the ability to 
work over non-prime order groups has the benefit of eliminating the attacks on 
the DH transform described in [LL97], without having to search for primes of a 
special form (and without necessitating special parameter checks when certifying 
public keys [LL97]). 



^ In IKE, the family of hash functions used for extracting a pseudorandom key from 
the DH value are implemented using common pseudorandom function families keyed 
with random, but known, keys. The randomness extraction properties of the latter 
families are studied in [GHKR04]. 
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Short-Exponent DifRe-Hellman. One important practical consideration is 
the length of exponents used when applying the DH transform. Full exponents 
when working over Z* are, typically, of size 1024 or more. Even if one works over 
a prime-order subgroup, one still needs to use relatively large orders (e.g. 288- 
bit long primes), with their correspondingly large exponents, to ensure a hashed 
output (say of 128 bits) that is indistinguishable from uniform. (This requirement 
for large computational entropy is often overlooked; indeed, the usual practice 
of using 160-bit prime-order groups, which originates with Schnorr’s signatures, 
is inappropriate for hashed DH-type applications.) 

Motivated by the significant cost of exponentiation using long exponents, 
we investigate whether one can use short exponents (e.g. as in [RFC2409]) and 
still preserve the security of the hashed DH transform. An obviously necessary 
requirement for the short exponent practice to be secure is the assumption that 
the discrete log problem is hard when exponents are restricted to a short length 
(say of s bits). We show that this requirement (called the s-DLSE assumption) is 
sufficient for the secure use of short exponents in the setting of the DH transform; 
more precisely, we prove (based on [GenOO]) that if the s-DLSE assumption holds 
in a group G, then the hashed DH transform in G is as secure with full exponents 
as with s-bit exponents. As a consequence, one can analyze the security of the 
hashed DH transform in the group G with full exponents and later replace the 
full exponents with much shorter ones without sacrificing security. In this case 
the important parameter is s; we note that the appropriate value of s depends 
on the underlying group. See [vOW96] for an extensive study of the plausible 
value of s for different groups. 

Paper’s Organization. In Section 2 we recall the DDH Assumption and 
prove the DDH Characterization Theorem. In Section 3 we introduce the t- 
DDH Assumption and its application to the hashed DH transform, and prove 
the central Max-Subgroup Theorem. In Section 4 we investigate the security of 
the hashed DH transform when using short exponents. We conclude in Section 
5 by describing the applicability of our results to the hashed DH transform over 
non-DDH groups. 

Notation. The formal treatment in this paper often involves sequences of 
probability distributions {T’njneN to which we refer as probability ensembles 
(or simply as “ensembles”). We adopt the convention that by the “probability 
distribution we mean the specific element (distribution) in the above 
sequence, while the term “probability ensemble is short for “probability 
ensemble {!?„}„£«”• We also assume that each distribution is taken over a 
set An C {0, 1}" where n' is polynomial in n (i.e., each ensemble has a fixed 
polynomial in n that determines the value n'). The notation x A„ is to be 
read as x chosen in A„ according to the distribution T>„, and x €r S means 
choosing x with uniform distribution over the set S. Finally if m is an integer, 
we denote with \m\ its binary length. 
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2 A Direct-Product DDH Characterization 

We consider a (infinite) family of cyclic groups Q = {G„}„. Denote with and 
uin a generator and the order of G„, respectively, where |to„| is bounded by a 
polynomial in n. 

Consider the following problem: Given a pair gn,9n compute the value g®**. 
If this problem is intractable over a family Q then we say that the Computational 
DifFie-Hellman (CDH) assumption holds (over Q). 

A much stronger, but also more useful, assumption is the following. Consider 
the family of sets G^ = G„ x G„ x G„ and the following two probability ensembles 
over it: 

T^n = {{9n, 9u, 9n) ^r a, b, c Gr [0..m„]} 

and 

'D'Hn = {{9n, 9n) ^r tt, 5 Gfl [0..m„]} 

Definition 1. We say that the Decisional DifFie-Hellman (DDH) Assumption holds 
over Q if the ensembles TZn andDHu are computationally indistinguishable (with 
respect to non-uniform distinguishersf’ . If Q satisfies the DDH assumption, we 
call Q a DDH group (family). 

Informally what the above assumption requires is that no polynomial time judge 
can decide if the third element of the triple (g0,g^,g(0 is the result of the Difiie- 
Hellman transform applied to g“, or a randomly chosen group element. Clearly 
this is a much weaker requirement from the attacker than computing the value 
from g“, g^. And therefore, as a general hardness assumption, DDH is (much) 
stronger than the CDH. 

The group family Q over which the two distributions TZn and DHn are de- 
fined is very important and indeed it makes a difference for the validity of the 
assumption. 

Example 1: A group where the DDH assumption does not hold. Consider the 
following group family; for each n take an n-bit prime and the group G„ = 
Z*^. Since testing for quadratic residuosity over Z*^ is easy, by computing (— ) 
(the Legendre symbol), then we immediately get a distinguisher against DDH in 
this group: by mapping the Legendre symbol of 1 (i.e. quadratic residues) to 0, 

a b c 

and the Legendre symbol of -1 to 1, we can simply check that = (p)> 

and output if it holds and otherwise. Clearly, if the triple is a legal 

DH triple then the distinguisher outputs DHn with probability 1, while in the 
other case the probability is only 1/2. 

Example 2: A group where the DDH is conjectured to hold. For each integer n 
consider an n-bit prime and poly{n)-hit prime such that divides p„ — 1. 

® The notion of computational indistinguishability is recalled in Appendix A; see also 
the remark below regarding our non-uniform formalism. 
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The group G„ is the subgroup of prime order in Z*^ . In this case no efficient 
distinguisher against the DDH is known. 

An important remark abont our formalism. We assume a notion of com- 
putational indistinguishability under non-uniform distinguishers. In particular, 
such a distinguisher may be given an “auxiliary input” for each group G„ in the 
family Q. This approach allows us to keep the simplicity of arguments in the 
asymptotic polynomial-time model while capturing the fact that we are inter- 
ested in the security of individual groups for which the attacker may have some 
side information. A particularly important example of such “side information” is 
the possible knowledge by the attacker of the group order and its factorization. 
Our results do assume that such factorization may be given to the attacker (as 
part of the non-uniform auxiliary input). In particular, this assumption plays an 
important role in the proof of the following theorem, which does not necessarily 
hold when the factorization of ord{G) is unknown (as it may be the case when 
working over where N = pq is a, modulus of unknown factorization) . 

Due to our focus on the security of specific groups we will often omit the sub- 
script n in the notation of groups, generators, etc. 

The next theorem provides a full characterization of DDH groups in terms 
of their prime order subgroups (as remarked above, the proof of this theorem 
assumes that the distinguisher is given the factorization of ord{G)). 

Theorem 1 (Direct Product Characterization Theorem.). A cyclic group 
G is DDH if and only if all its prime power subgroups are DDH. 

The proof follows from Lemmas 1 and 2 . 

Lemma 1. If the DDH assumptions holds in a group G then it holds in all the 
subgroups of G. 

Proof. Let G be a DDH (cyclic) group of order order m = mi m2, and let Gi be a 
subgroup of G of order mi . Let ghe a generator of G and gi = g™^ be a generator 
of Gi. Assume by contradiction that the DDH does not hold in Gi, i.e. there is 
a distinguisher D\ that upon receiving a triple (Ai = 3““^ , Bi = g^^ , Gi = gf^) € 
GI can distinguish whether it came from the distribution T^Gi or DHqi with 
non-negligible advantage e. We build a distinguisher D for G which distinguishes 
between the distributions DHg and TZg with the same probability e. 

Upon receiving a triple {A = = 5*',G = (/'^), where a,b Gn Zmim2 

and c is either the product of ab or picked uniformly at random in Zmim2i the 
distinguisher D : 

1 . Computes (Ai, Hi, Gi) by setting Ai = Hi = and Gi = G™L 

2 . Passes the triple (Ai,Hi,Gi) to D\ 

3 . Outputs the same output bit as Hi. 

Note that by construction the values Ai,Hi,Gi equal 5i\ffi\5i\ respectively, 
where ai = a mod mi, 61 = 6 mod mi, ci = c mod mi. Since a,b Gr Zmim2 




Secure Hashed Difiie-Hellman over Non-DDH Groups 



369 



then ai,6i Also, if c = a6 mod toiTO 2 then ci = aibi modmi, while 

if c Gr Zmim 2 then ci Gr Zm^- In other words, whenever the triple {A,B,C) 
is distributed according to VT-Lg then the triple (Ai,i?i,Ci) is distributed ac- 
cording to VHgi, while if (A,B,C) is distributed according to TZq then the 
triple {Ai,Bx,Ci) is distributed according to TZa^- Therefore, D distinguishes 
between the distributions VT-Lg and TZg with the same probability e that D\ 
distinguishes between VT-Lg^ and TZg^ ■ □ 

Lemma 2 . Let G he a cyclic group of order m = mim2, where {mi, m2) = 1 , 
and let G\ and G2 he the subgroups of G of orders mi,m2 resp. If DDH holds 
in Gi and G2 then DDH holds in G. 



Proof. Let 5,51,52 be generators of G,G\, and G2, respectively; in particular, 
51 = 5™= and 52 = 5""i . Given a triple ti = {Ai = 5“^ , Bi = 5J1 , Ci = 5^^) G Gf 
and a triple ^2 = (A2 = 52^,i?2 = 52^1^2 = g'2) G we define the following 
transformation T which “lifts” this pair of triples into a triple in (T is the 
standard isomorphism between the group G and its product group representation 
as determined by the Chinese Reminder Theorem.) On input t\,t2, T{t\,t2) 
outputs a triple {A = g°-,B = g^, G = 5'^) G G^ defined as follows: 



1 . Let ri,r2 be such that riWi -I- r2TO2 = 1 (i.e., ri = mf^ mod m2 and T2 = 
mf^ mod TOi) 

2. Set A = Af^Al2f = g“i™2»'2+a2miri g Q j ^ _ Q^^2r2 -I- 02miri mod m 

3. Set B = = gt>im2r2+b2miri g j ^ _ 5iTO2r2 + b2miri mod m 

4 Set C ^'^2^2 „cim^r^+C2m?r^ ^ ; .r, x, ^.^2^2 | 

m 



Gp'r ^ j g^ g ^ Cimir| -h C2mlrl mod 



Note the following facts about the triple {A, B, G) which result from the above 
transformation : 

Fact 1 If ai,6i Gr and 02,62 Gr then a,b Gr Z^. 

Fact 2 c — o6 = Cl — oi6i mod m\ and c — ah = C2 — 0262 mod m2 
Fact 3 Following Facts 1 and 2 , if the triple ti is chosen according to distribution 
VHgx ^2 according to distribution VHg2 ? then the triple {A, B,G)is dis- 
tributed according to the distribution VUg- Similarly, if ti, 62 are distributed 
according to TZgi and TZg2 , respectively, then {A, B, G) is distributed accord- 
ing to TZg- 

For probability distributions V\,V2 we denote by T{V\,V2) the probability dis- 
tribution induced by the random variable T{x\,X2) where a;i,a;2 are random 
variables distributed according to V\,V2, respectively, and T is the above de- 
fined transform. Using this notation and Fact 3 we get: VHg = T{VHgi > ^^62) 
and TZg = T {TZg^ , TZg2 ) • 

Let us now consider the “hybrid” probability distribution T{TZgi,V'Hg2)- 
Note that this distribution is computationally indistinguishable from T{VTLg^, 
VTLg2)- Indeed, since the distribution VHg2 is efficiently samplable and the 
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transformation T is efficiently computable, then one can transform any efficient 
distinguisher between the above two distributions into an efficient distinguisher 
between TZgi and 'DTi.G^ , in contradiction to the Lemma’s premise that the 
distributions TZgi and 'D'Hgx are indistinguishable. Similarly, we have that the 
hybrid distribution T {TZgi , 'DT-Lg^ ) is indistinguishable from T {TIgi , TIG 2 ) • Sum- 
marizing, we have that: 



VHg = T{VHg^.T)Hg2) « T{nG,,VHG2) « TiUG^TlG^) = T^g 

where « denotes computational indistinguishability. Therefore by a standard hy- 
brid argument (or the triangle inequality for computational indistinguishability) 
we get that, provided that the DDH assumption holds in Gi and G 2 , then VT-Lg 
and TLg are computationally indistinguishable, i.e. G is DDH. □ 

3 The t-DDH Assumption and the Hashed DH Transform 

In this section we introduce an intractability assumption that is, in general, 
weaker than the DDH assumption, yet it suffices for ensuring DH outputs from 
which a large number of pseudorandom bits can be extracted. We start by re- 
calling the notions of computational entropy and entropy smoothing. We use the 
notations introduced at the end of Section 1. 



3.1 Computational Entropy and Entropy Smoothing 

Definition 2. Let Xn be « probability ensemble over An- The min-entropy of 
Xn is the value 

min-ent(A’„) = p]^o(- log(Pro5A'„ [x])) 

Note that if Xn has min-entropy t{n) then for all x G Probx„[x] < 

The notion of min-entropy provides a measurement of the amount of ran- 
domness present in a probability distribution. Indeed, the Entropy Smoothing 
Theorem (see below) shows that if has min-entropy t{n) it is possible to 
construct from Xn an (almost) uniform distribution over (almost) t{n) bits, by 
simply hashing elements chosen according to T„. The basic hashing tool to do 
this uses the following notion of universal hashing. 

Definition 3. Let Hn be a family of functions, where each H G is defined 
as H : An — > {0,1}’”*-”^. We say that Tin is a family of (pairwise-independent) 
universal hash functions if for all x, x' G An, x yf x' , and for all a, a' G {0, 
we have 

ProhH^nr,[H{x) = a and H{x') = a'] = 

That is, a randomly chosen H will map any pair of distinct elements indepen- 
dently and uniformly. 
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Our techniques use as a central tool the following Entropy Smoothing Theorem 
from [HILL99] (see also [Lub96]). The definition of statistical distance used below 
is recalled in Appendix A. 

Theorem 2 (Entropy Smoothing Theorem [HILL99].). Let t he a positive 
integer and let X he a random variable defined on {0, 1}" such that min-ent(A) > 
t. Let k > 0 he an integer parameter. Let hi he a family of universal hash 
functions such that h G Ti,, h : {0,1}" ^ {0,1}*“^^. Let U he the uniform 
distribution over {0,1}*“^^. Then, the distributions [< h{X),h >]h^jin and 
[< U,h have statistical distance at most 

Thus, the Entropy Smoothing Theorem guarantees that if is a probability 
ensemble over A„ with min-entropy of at least t(n), and a family of universal 
hash functions from A„ to (0, i}*(")-2fc(«)^ then the random variable H{x), where 
H Gr Tin and x is chosen according to the distribution A„, is “almost” uniformly 
distributed over {0, i}*(")-2fc(n) even when the hash function H is given. Here, 
“almost” means a statistical distance of at most Therefore, if one sets 

k{n) = u;(logn), then the statistical distance of H{x) from uniform becomes 
negligible. 

The following notion represents a computational analogue of the notion of 
min-entropy; it is due to [HILL99]. 

Definition 4. A probability ensemble y„ has computational entropy t{n) if there 
exists a probability ensemble X„ such that 

— min-ent(A’„) > t{n) 

— Xn and y„ are computationally indistinguishable 

Using a standard hybrid argument it is easy to show that the Entropy Smoothing 
Theorem, as discussed above, can be generalized to probability ensembles 
that have computational entropy t{n). In this case, applying a (randomly chosen) 
universal hash function with k{n) = u;(logn) to results in a pseudorandom 
ensemble, namely, an ensemble which is computationally indistinguishable from 
the uniform distribution. 



3.2 t-DDH: A Relaxed DDH Assumption 

We proceed to define the t-DDH assumption. The intuition behind this assump- 
tion is that if the Computational Diffie-Hellman Assumption holds in a group G 
generated by a generator g, then the DH value g®** must have some degree of un- 
predictability (or “partial hardness”) even when and g** are given. Specifically, 
we say that the t-DDH Assumption holds in the group G if the Difiie-Hellman 
output g®** has t bits of computational entropy (here 0 < t < log(G)). Formally: 

Definition 5. We say that the t{n)-DDH Assumption holds over a group family 
Q = {Gn}n if for all n there exists a family of probability distributions A„(g“,g)() 
over Gn (one distribution for each pair gf,g^) such that 
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- min-ent(A’„(6f“,6f^)) > t{n) 

— The probability ensemble VTLn (see Section 2) is computationally indistin- 
guishable from the ensemble 

'Ki = {{ 9 ni 9 n,C) for a, ben ord(G„) and C G„} 

It is important to note that the distributions in the above definition 

may be different for each pair of values g“, Requiring instead a single distri- 
bution X for all pairs (as may seem more natural at first glance) results 

in a significantly stronger, and consequently less useful, assumption. 

Consider Example 1 from Section 2: over Z* one can break the DDH by 
detecting if the quadratic residuosity character of C is consistent with the one 
induced by Yet, Zf can satisfy the t-DDH assumption even for high values 

of t. For example, if for all a, b for which one of a, b is even we define Xn{g°‘, g^) 
to be the set of quadratic residues in Z*, and for all other pairs g^ we define 
Xn{g°',g^) to be the set of quadratic non-residues in Z*, then the trivial break 
of DDH in the above example does not hold against these distributions. More 
generally, if we consider a prime p of the form 2'^q-\- 1 where g is a prime then we 
can get that (given current knowledge) the t-DDH assumption holds for Z* for 
t = \p\ — u, while clearly the DDH assumptions does not hold over this group. 

Note that the DDH assumption can also be stated in terms of computational 
entropy. Indeed the DDH assumption over a group G is equivalent to the t-DDH 
assumption over G for t = log(ord(G)). 

Sampling Y„(g“,g*'). The t-DDH Assumption as stated above makes no re- 
quirement of efficient samplability for A„((/“, g^). It is possible to strengthen the 
assumption by requiring that Xn{g°',g^) be efficiently samplable. We say that 
the samplable [resp. semi-samplable] t-DDH Assumption holds over Q, if the t- 
DDH Assumption holds over Q and the underlying distributions A„(g“,g*') are 
polynomial-time samplable [resp. polynomial-time samplable when either expo- 
nent a or 6 is known] . 

As a direct consequence of the Entropy Smoothing Theorem and the defini- 
tion of t-DDH we have: 

Lemma 3. Let Q = {G„}„ be a group family in which the t(ji)-DDH Assump- 
tion holds, and let {TLn\n be a family of universal hash functions such that for 
all h G Tin, h : Gn {0, 1}* where t'{n) = t(n) — w(logn). Then the induced 
distribution of h(g'jf’), for a,b Gr [l..ord(G„)] and h Gr Tin, is computationally 
indistinguishable from the uniform distribution over {0,1}*^"^ even when h, gf 
and g^ are given to the distinguisher. 

Notice that the above lemma requires the hash function h to be chosen at 
random for each application. This is the case in several practical protocols (such 
as the case of IKE [RFC2409], mentioned in the Introduction, in which a key 
to the hash function is chosen by the communicating parties anew with each 
run of the protocol) . However, it is also possible to fix a randomly chosen hash 
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function and apply it repeatedly to different DH values. An example of such an 
application would be its use in the context of the Cramer-Shoup CCA-secure 
cryptosystem [CS98] (also discussed in the Introduction) in which the specific 
hash function h would be chosen at random from the family Ti. by the owner of 
the decryption key, and published as part of the public key parameters. In this 
case, the security of the repeated use of the same hash function h can be proved 
via a standard simulation argument. 

Finally we point out that for groups of prime order, the t-DDH Assumption is 
equivalent to the full DDH. The proof of this fact can be obtained by a standard 
random self-reducibility argument. 

Lemma 4. Let G he a group of prime order q. If the t-DDH Assumption holds 
in G for t > 0 then the DDH Assumption holds in G as well. 

This yields an interesting 0-1 law for prime order groups, in which either the DDH 
Assumption holds, and thus the DH output has log(g) bits of computational 
entropy, or we cannot claim that the DH output has any bits of computational 
entropy. 



3.3 The Max- Subgroup Theorem 

We now proceed to prove our main theorem concerning the t-DDH assumption. 
The significance of the theorem below is that we can claim that a cyclic group 
is t-DDH if t is the order of the maximal subgroup of G where the DDH holds. 

Theorem 3. Let G he a cyclic group of order m = toiTO 2 where (mi, m 2 ) = 1, 
and G\ he a suh-group of order mi in G. If the DDH Assumption holds over Gi 
then the \mi\-DDH Assumption holds in G. 

Proof. An initial intuition behind the correctness of the theorem is that the 
hardness hidden in Gi could be “sampled” when applying a hash function to 
the DH values over G. This however is incorrect: the size of Gi may be negligible 
in relation to |G| and as such the probability to sample a triple (g“, 5 **, 5 “**) from 
Gi is negligible too. The actual argument, presented next, uses the observation 
that the “hardness” present in Gi can be extended to its cosets in G. 

Let g be a generator of G and gi = g'^^ be a generator of order mi of 
Gi. Given g‘^,g^ G G, we define the distribution A'(g‘‘,g^) to be the uniform 
distribution over {G = g'^ G G such that c G Zm and c = ah mod m 2 } Thus, it 
is easy to see that X(g°-,g^) has |mi| bits of min-entropy (since the above set has 
mi elements). Let TZ* denote the probability distribution {{g‘^,g^,G) : a,b Gr 
Z m and G Gx(g<‘,gi>) G|. 

We assume by contradiction that the |mi|-DDH assumption does not hold in 
G, and thus we have a distinguisher D between the distributions VHg and TZ* . 
Using D we build a distinguisher D\ that distinguishes between the distributions 
'D'Hgi and TZoi . 
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Given a triple where Ai = and Ci either equals 

or for ci €e the distinguisher Di does the following: 

1. Chooses i,j Gr 

2 . Sets A = Aig^,B = Big^ and C = A{B\g'‘^ computed in G 

3. Hands D the triple {A, B,C) 

4. Outputs the same output bit as D. 

Let’s examine the distribution of the triple (H, B, C). Consider first A. This 
value is set to H = Aig"^ = g^^g^ = g™2<ii+i ^ _l_ Since i Gr Zm 

then also a Gr Zm- Similarly for B = g^ we get b Gr Zm- In the case of C we have 
c = CfMjHjgb = gC^val+m^a^j+m.,b^^+^j ^ thus c = Ciwl + mzaij + mzfcit + tj. 
In addition, we have that ab = (m2ai +t)(m26i +j) = + m2aij + m26it + 

ij. Thus 

c—ab= rn\ci+m2aij+rn2b\i+ij—{m\axbi+m2aij+rn2b\i+ij) = m^ci—m^aibi 

which implies c = m^ici — aibi) + o5 mod m. Therefore, if ci = ai6i then 
c = ab, while if ci Gr Zmi then ci — ai6i Gr Zm-i, and consequently C is 
distributed according to the distribution X{g°',g^). In other words, the triple 
{A,B,C) is distributed according to VT-Lg if came from VHgi, 

and it is distributed according to TZ* if {Ax,Bi,C\) came from TZg^ - Therefore, 
Di distinguishes between T>Hgi TZgi with the same probability that D 
distinguishes between VTLg and TZ* - Since we assumed the latter probability to 
be non-negligible we reached a contradiction with the premise that G\ is a DDH 
group. □ 

Remark on samp lability. The distributions X{g°‘,g^) defined in the above 
proof are efficiently samplable given mi, m2 and at least one of a,b- Indeed 
given, say, a,B = g^ we can sample X{g°-, g^) by choosing k Gr Zm^ and setting 
G = In other words, provided that mi, m2 are given, Theorem 3 (and 

its corollary below) can be strengthened to claim that the semi- samplable \mi\- 
DDH Assumption holds in G- We will use this stronger version of the theorem 
in Section 5. 

From the above theorem and the Characterization Theorem we get: 

Corollary 1. For any cyclic group G, G is \m\-DDH where m is the order of 
the maximal DDFl subgroup of G- 



4 DDH and t-DDH with Short Exponents 

In this section we investigate the use of the DDH and t-DDH assumptions in 
conjunction with the so called “short-exponent discrete-log” assumption. 

The Short-Exponent Discrete-Log Assumption. A common practice for 
increasing the efficiency of exponentiation in cryptographic applications based 
on the hardness of computing discrete logarithms, and in particular those using 
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the Difiie-Hellman transform, is to replace full-length exponents (i.e. of length 
logarithmic in the group order) with (significantly) shorter exponents. The secu- 
rity of this practice cannot be justified by the usual assumption that computing 
discrete logarithms (with full-length exponents) is hard, but rather requires a 
specific assumption first analyzed in [vOW96] and formalized (as follows) in 
[PS98], 

Assumption 4 (s-DLSE [PS98]) Let Q = {Gn}n be a family of eyelic groups 
where eaeh G„ has a generator and ord{Gn) = m(ji) > 2". We say that the 
s-DLSE Assumption holds in G if for every probabilistic polynomial time Turing 
machine I, for every polynomial P(-) and for all sufficiently large n we have that 
Proh^(Zj^[i„ 2 ‘]{I{gn,m{n),s,gf) = x) < 1/P(n). 

Current knowledge points to the plausibility of the above assumption even for 
exponents s significantly shorter than log{ord{g)). The exact values of s for 
which the assumption seems to hold depends on the group generated by the 
element g. An obvious lower bound on s, if one wants to achieve security against 
2"-complexity attacks, is s > 2n which is necessary to thwart the usual square- 
root attacks such as Shanks and Pollard methods. However, as it was pointed out 
in [vOW96], there are cases where s needs to be chosen larger than 2n. Specifi- 
cally, they show how to use a Pohlig-Hellman decomposition to obtain some of 
the bits of the exponent. The power of the attack depends on the (relatively) 
small prime factors of the group order. For example, when working over Z* with 
a random prime p, the [vOW96] results indicate the use of s « 4n (e.g., with 
a security parameter of 80 one should use s = 320 which is much shorter than 
the 1024 or 2048 bits of p, yet twice as much as the bare minimum of s = 160). 
If one wants to use s = 2n (i.e. assume the 2n-DLSE), it is necessary to work 
in special groups such as those of prime order or Zf with p a safe prime (i.e. 
p = 2q 1, and q prime). 

From Hardness to Indistinguishability. Gennaro [GenOO] proves that if the 
s-DLSE assumption holds in G = .^* with p a safe prime then the distribution 
over G generated by g^ for x [1..2^] is computationally indistinguishable from 
the uniform distribution over G. Here we use a generalization of this result that 
we summarize in the following proposition (see the full version of this paper 
[GKR04] for a proof of this Proposition) . 

Proposition 1. Let G be a cyclic group of order m generated by g, such that m 
is odd or m/2 is odd. Lf the s-DLSE Assumption holds in G, then the following 
two distributions Sq = {g^ : x €r [1..2®]} and Ug = {<?“ : x Gr Zm} are 
computationally indistinguishable. 

Next we show that if in a group G, both the s-DLSE and the t-DDH Assumptions 
hold, then performing the Difiie-Hellman transform with short exponents a and 
6, yields a DH output with t bits of computational entropy. In other words, the 
security of the hashed DH transform over such groups when using s-bit long 
exponents is essentially equivalent to that of using full exponents. 
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Theorem 5. Let G be a cyelic group of order m generated by g, such that m 
is odd, or m/2 is odd. Let s,t be such that the s-DLSE and the semi-samplable 
t-DDH Assumptions hold in G. Denote with X{g°‘,g^) the family of distributions 
induced by the t-DDH assumption over G (see Def. 5). Then the following two 
distributions 

= for a, 6 Gfl [1..2*]} 

and 

SE* = {( 5 “, 5 ^C) for a,b &r and G G} 

are computationally indistinguishable. 

Proof. Recall that if the t-DDH Assumption holds over the group G of order m, 
then there exists a family of probability distributions X{g°‘ , g^) with min-entropy 
t (one distribution for each pair g°“,g^) over G such that the distributions 

for 0,6 Gfi Zm} 



and 

= {(6'“7 6'^G) for o, 6 Gfl Zm and C Gxig“,g>>) G} 

are computationally indistinguishable. 

The following standard hybrid argument yields the proof of the Theorem. 
Consider the intermediate distributions 

2?o = {(5“,/,5“*') for o,6Gfl [1..2*]} 

for aGRZm,bGR[1..2-^]} 

1^2 = for a,PGRZm} 

^3 = for a, P,Gr Zm a^nd G Gx(g'=‘,gi}) G} 

= {{ 9 °‘ ^ 9^1 G) b Gr [1..2®], a Gr Zm and G &x(g‘>‘,g’>) G} 

^5 = {( 5^7 9 ^i G) : a,b €r and C &x{g<^,g'>) G} 

Clearly Dq = SDTi while D 5 = STZ* . If there is an efficient distinguisher between 
these distributions then, by a standard hybrid argument, there is an efficient 
distinguisher between T>i and Di+i for some i G {0,1, 2, 3, 4}. But under the 
t-DDH Assumption we know that D 2 is computationally indistinguishable from 
D 3 . Also, under the s-DLSE Assumption we know that Di is computationally 
indistinguishable from Di^i for i = 0, 1,3,4 by reduction to Proposition 1 (in 
the case z = 3,4 one needs X{g°-,g^) to be semi-samplable). □ 

Note that, as a particular case, when t = log(m) the theorem states that if G is 
a DDH group in which the s-DLSE assumption holds, then performing the DH 
transform over G with exponents of size s yields values that are indistinguishable 
from random elements in G. 
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5 Hashed DH over Z* and Its Subgroups 

Here we discuss the security of the hashed DH transform over groups and sub- 
groups of Z* for prime p. Throughout this section we assume that the DDH 
assumption holds over the large prime-order subgroups of Z*. Under this as- 
sumption we immediately get that it is secure to use the hashed DH transform 
over a subgroup Gq of Z* of order q, provided that g is a sufficiently large prime 
that divides p — 1. By sufficiently large we mean that the DDH assumption (plau- 
sibly) holds in Gq (for a given security parameter k), and that the computational 
entropy of q is sufficient for the application. Specifically, if the application re- 
quires a pseudorandom output of £ bits then q needs to satisfy |g| > £+ 2k. 
Similarly, we get that it is secure to work in any subgroup of Z* whose order m 
is the product of large primes (each of which divides p — 1); also here it is re- 
quired that \m\ > £ + 2k, although note that each of the prime factors of m may 
be smaller than that bound (one usually assumes the DDH to hold on groups of 
prime order q with |g| > 2k). 

Moreover, one of the most significant contributions of our work is in showing 
the security of the hashed DH transform also over groups (or subgroups) whose 
order is divisible by small prime factors (and therefore not satisfying the DDH 
assumption). In particular, this is necessarily the case for the group Z* with 
prime p (the order m = p — 1 of this group is always divisible by small prime 
factors, e.g., 2). Our results show that the hashed DH is secure over Z* provided 
that p — 1 has enough prime divisors whose product is larger than the entropy 
bound 2^“'"^^, and for which the subgroups of corresponding prime order are 
DDH. (In particular, the fact that p — 1 has additional smaller prime factors 
does not invalidate the security of the hashed DDH in Z*.) 

A particularly interesting group is Z* ior p = 2q + 1 and q prime. In this 
case, working directly with the hashed DH over Z* is secure since we are assum- 
ing that its subgroup of order q is DDH, and therefore the whole Z* group is 
|2^|-DDH. Working over Z* in this case has several important advantages: (i) 
one can produce a large (actually, largest) number of pseudorandom bits (specif- 
ically, IpI — 1 — 2k bits); (ii) p can be chosen such that 2 is a generator of Z* 
(which speeds up exponentiation); (iii) the 2fc-DLSE Assumption (see Section 
4) is conjectured to hold in these groups [vOW96] and therefore one can use 
minimal-length exponents (i.e., of length 2k) in these groups, obtaining yet an- 
other significant exponentiation speedup without sacrificing the security of the 
(hashed) DH transform; and (iv) these groups are free from the potentially se- 
rious attacks described in [LL97] (that affect subgroups of prime order q where 
(p — l)/g has a relatively large smooth factor). Note that items (i) and (iii) follow 
essentially from our results. The only drawback working over such a group is the 
cost of generating p’s of the above form; this, however is insignificant in typical 
applications (e.g., IKE [RFC2409]) in which this generation is very rare, and 
usually done at the set-up of the system and used for a large period of time. 

Note that in all of the above examples it is assumed that one knows the full or 
partial factorization of p — 1; in particular, the knowledge of this factorization is 
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essential for selecting a generator of the group. It is a theoretically and practically 
important question to establish whether the knowledge of the factorization of 
p — 1 is essential for working securely over Z* or over one of its subgroups. In the 
rest of this section we show that this knowledge is not essential. Specifically, it 
follows from our results that if one chooses a random prime p (of a pre-specified 
size such that the Discreet Logarithm Problem is hard in Z*) and a random 
element e in Z*, then performing the hashed DH transform over the group 
generated by e is secure.® 

Let p be a random prime such that p — 1 = piP 2 ---Pn and pi < P 2 < ... < Pn are 
all (not necessarily different and possibly unknown) primes. Let e be an element 
randomly chosen from Z*, and let Ge denote the subgroup of Z* generated by 
e. We first claim that with overwhelming probability the large prime factors of 
p — 1 divide the order of Ge- 



Lemma 5. Let Z* and p — 1 = pi..p„ be as described above. Then for all 1 < 
i < n: PreeRZ;[Pi / ord(e)] < 1/p*. 



Proof. Let g he a generator of Z*. There are at most (p— l)/pi elements whose 
order is not divisible by pi, and they are the elements of the form for 
1 < J < (p — 1)/Pi- When pf Ip — 1 this is a strict upper bound, otherwise this 
is an exact bound. Thus, the probability to choose e such that pi / ord(e) is at 



most 



(p-i)/Pi 

p-i 



Pi 



Corollary 2. For a given bound B, letp—1 = BfLiPi wherepj,pj+i, ...,Pn > B. 
Then 



Preenz; [nfhj p^ \ ord{e)] > 1 - ^ > 1 - 

i=j 



n-j 

B 



> 1 - 



logp 

B 



Thus, for large values of B, the order of a random element e is divisible, with 
overwhelming probability, by all the prime factors of p — 1 which are larger than 
B. Or, equivalently, Ge has as subgroups all the prime-order subgroups of Z* 
whose order is larger than B. 

Now, if we set our security parameter to fc, define B = 2^^, and assume that 
the DDH holds in subgroups of prime order larger than B, then we have that, 
with overwhelming probability, Ge contains all the prime order DDH subgroups 
of Z*. In other words, if we denote by P the product of all prime factors of p — 1 
larger than B, we have that Ge contains, by virtue of our DDH Characterization 
Theorem (Theorem 1) a DDH subgroup of size P, and then by the Max-Subgroup 
Theorem (Theorem 3) we get that Ge is |P|-DDH. 

All it is left to argue is that |P| is large enough. For this we use the following 
Lemma from [vOW96] that provides an upper bound on the expected size of 

® We stress that while the legitimate users of such a scheme do not need to know the 
factorization of p — 1, the scheme remains secure even if this factorization is known 
to the attacker. 
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the product of all prime divisors of p — 1 that are smaller than B (and thus, it 
provides a lower bound on the expected size of |P|). 

Lemma 6 ([vOW96]). For a random prime p (as above) and a fixed hound B, 
the expected length of II iPi where pi < B is logB + 1. 

In other words, the lemma states that the expected size of |P| is \p\ — \B\ = 
\p\ - 2fc. 

If, for the sake of illustration, we set \p\ = 1024 and k = 80 we get that we 
expect Ge to be 864-DDH. However, note that this expected size may vary for 
specific p’s. Yet, note that even if p happens to have a H-smooth part that is 
4 times larger than expected (!) we are still left with a 384-DDH subgroup Ge 
with enough computational entropy for most DH applications (such as deriving 
a 128-bit pseudorandom key). If one considers 2048-bits and k = 160 then the 
expected amount of entropy is 2048-320=1728 bits which, again, leaves plenty 
room to compensate for “unlucky choices” of p. 

Notice that in order to use short exponents in this case (i.e. random prime 
p and random generator e), one must make sure that the order m of the group 
generated by e is either odd, or m/2 is odd (so that we can invoke Theorem 
5). This can be easily achieved by choosing first a random element e in Zf and 
then using as the group generator the element mod p where / is the maximal 
integer such that 2-^|(p — 1) (the value / is, of course, trivial to obtain without 
requiring of any significant factorization of p — 1). 

Remark (semi-samp lability). In the above discussion we have justified the 
usage of short exponents on the basis of Theorem 5. Note, however, that this 
theorem assumes the semi-samplability of the distributions T((/“, g^). Therefore, 
we need to verify that this semi-samplability property holds for the above ap- 
plications. This is indeed the case since these applications use the distributions 
defined in the proof of Theorem 3, which are semi-samplable when the factoriza- 
tion of the group order is known (see the remark following the proof of Theorem 
3). Therefore, we obtain that, even though the honest parties can perform the 
hashed DH transform securely with short exponents, and without requiring the 
knowledge of the factorization of p — 1, the DH transform remains secure even 
z/such factorization is available to the attacker. 
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A Indistinguishability of Probability Distributions 

Definition 6. Let be two probability distributions over a support set An- 

We say that and yn have statistical distance bounded by A{n) if 
~ [ 3 ^] I ^ A{n) . We say that the ensembles X„ and 

y„ are statistically indistinguishable if for every polynomial P{-) and for all suf- 
ficiently large n we have that A{n) < 

Definition 7. Let Xn,yn be two probability ensembles. Given a family of cir- 
cuits D = {Dn\n (called the distinguisher) consider the following quantities 

5d.x„= Probx(^x„[Dn{x) = 1] and SD,y„ = Proby^y„[Dn{y) = 1] 

We say that the probability ensembles Xn and y„ are computationally indistin- 
guishable (by non-uniform distinguishers) if for every polynomial- size distin- 
guisher family D, for every polynomial P{-), and for all sufficiently large n we 
have that \Sd,x„ ~ Sn,yJ < 
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Abstract. We study the recently introduced notion of a simulation- 
sound trapdoor commitment (SSTC) scheme. In this paper, we present 
a new, simpler definition for an SSTC scheme that admits more ef- 
ficient constructions and can be used in a larger set of applications. 
Specifically, we show how to construct SSTC schemes from any one-way 
functions, and how to construct very efficient SSTC schemes based on 
specific number-theoretic assumptions. We also show how to construct 
simulation- sound, non-malleable, and universally-composable zero-know- 
ledge protocols using SSTC schemes, yielding, for instance, the most ef- 
ficient universally-composable zero-knowledge protocols known. Finally, 
we explore the relation between SSTC schemes and non-malleable com- 
mitment schemes by presenting a sequence of implication and separation 
results, which in particular imply that SSTC schemes are non-malleable. 



1 Introduction 

The notion of a commitment is one of the most important and useful notions 
in cryptography. Intuitively, a commitment is the digital equivalent of a “locked 
combination safe.” A party Alice would commit to a value by placing it into 
the safe, closing the safe, and spinning the lock, so that the value may later be 
revealed by Alice divulging the combination of the safe. Obviously, the value 
cannot be viewed by any other party prior to this opening (this is known as 
the “secrecy” or “hiding” property), and cannot be altered (this is known as 
the “binding” property). Commitments have been useful in a wide range of 
applications, from zero-knowledge protocols (e.g., [4,12,26]) to electronic com- 
merce (e.g., remote electronic bidding), and have been studied extensively (e.g., 
[3,32,33]). In many cases, however, one needs commitment schemes with addi- 
tional properties besides hiding and binding, such as those described below. 

A trapdoor commitment (TC) scheme is a commitment scheme with an ad- 
ditional “equivocability” property. Roughly speaking, for such a commitment 
scheme there is some trapdoor information whose knowledge would allow one 
to open a commitment in more than one way (and thus “equivocate”). Natu- 
rally, without the trapdoor, equivocation would remain computationally infeasi- 
ble [4,20,2]. 
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A non-malleahle commitment (NMC) scheme is a commitment scheme with 
the property that (informally) not only is the value v placed inside a commitment 
secret, but seeing this commitment does not give another party any advantage 
in generating a new commitment that, once v is revealed, can then be opened 
to a value related to v [18,16,23,17,14].^ 

Finally, a universally composable commitment (UCC) scheme is a commit- 
ment scheme with a very strong property that intuitively means that the security 
of a commitment is guaranteed even when commitment protocols are concur- 
rently composed with arbitrary protocols [5,6,15]. To achieve universal compos- 
ability, a commitment scheme seems to require equivocability, non-malleability, 
and furthermore, extractahility. Roughly speaking, an extractable commitment 
scheme has a modified secrecy definition, which states that there is a secret key 
whose knowledge would allow one to extract the value placed in a commitment. 
Naturally, without this knowledge, the value would remain hidden. We note that 
the notion of a UCC scheme appears to be strictly stronger than the other no- 
tions of commitment schemes. In particular, Damgard and Groth [14] show that 
a UCC scheme implies secure key exchange, while both TC schemes and NMC 
schemes can be constructed from one-way functions. 

1.1 Simulation-Sound Trapdoor Commitments 

In this paper, we focus our attention on another extension of commitment 
schemes, namely simulation-sound trapdoor commitment (SSTC) schemes. An 
SSTC scheme is a TC scheme with a strengthened binding property, called 
simulation-sound binding. Roughly speaking, in an SSTC scheme, an adversary 
cannot equivocate on a commitment with a certain tag, even after seeing the 
equivocation of an unbounded number of commitments with different tags (i.e., 
the adversary may request an equivocation oracle to generate an unbounded 
number of commitments with different tags, and then to open them to arbitrary 
values). Here, a tag for a commitment is simply a binary string associated with 
the commitment. We will discuss tags in more detail below. 

The term “simulation soundness” was first used to describe a property of 
zero-knowledge proofs by Sahai [37] , and intuitively meant that even though an 
adversary could see simulated proofs of incorrect statements, it could not itself 
produce a new proof of any incorrect statement. Garay et al. [24] first applied this 
term to trapdoor commitments. They gave a slightly stronger, although more 
complicated, simulation-sound binding property and an efficient construction 
based on DSA signatures [29]. Their definition was specifically tailored to the 
goal of developing a universally-composable zero-knowledge (UCZK) proof that 
was secure in the presence of adversaries that could adaptively corrupt parties.^ 

® The original definition of [18] states (informally) that another party does not even 
have any advantage in creating a new commitment to a value related to v, regardless 
of the ability to open the new commitment. However, we will use the definition based 
on opening. 

^ They use the term identifier in place of the term tag, and intuitively, in their defini- 
tion [24], a commitment made by the adversary using identifier id is binding, even if 
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1.2 Summary of Results 

Simpler Definition We provide a simpler definition of SSTC schemes than the 
one by Garay et. al. [24]. Though the binding property in our definition is weaker, 
it is still sufficient in many applications (e.g., to construct UCZK protocols that 
are secure in the presence of adversaries that can adaptively corrupt parties). 

We also discuss various design issues in the definition, and most notably, the 
choice between definitions based on the tag of the commitment and on the body 
of the commitment. Informally, a tag-based definition requires that an adversary 
cannot equivocate a commitment com with a certain tag so long as it does not 
see the equivocation of any commitment with the same tag. On the other hand, 
a body-based definition requires that the adversary cannot equivocate a commit- 
ment com so long as the commitment com itself has not been equivocated. (Note 
that we use the term “body” to refer to the bit-string that is the commitment.) 

In our paper, we choose to focus on tag-based schemes since they admit sim- 
pler constructions and seem to be the most appropriate for our applications. For 
example, in constructing secure zero-knowledge protocols in the UC framework, 
where the communication is normally assumed to be authenticated, it is natural 
to use a tag-based scheme, setting the tag to be the pair of the identities of the 
prover and the verifier. 

Efficient Constructions We present various constructions of SSTC schemes. The 
first construction is a generic one based on the (minimal) assumption that one- 
way functions exist. Our construction is similar to that of a UCC commitment 
scheme in Canetti et. al. [7]. However, because SSTC schemes do not require the 
extractability property, we are able to simplify the construction, and have it rely 
on a weaker assumption. The second construction is based on the DSA assump- 
tion, and is very efficient, involving only a small constant number of modular 
exponentiations. It is similar to the construction from Garay et. al. [24], but is 
about twice as efficient. The third assumption is based on Cramer-Shoup signa- 
tures [11], and relies on the strong RSA assumption [1]. It is also very efficient, 
again requiring only a small constant number of modular exponentiations. 

We remark here that our most efficient SSTC schemes are more efficient 
than all known UCC schemes. For instance, the UCC constructions of [6,7] are 
for bit commitments, and thus have an expansion factor of at least the security 
parameter. The UCC construction of [15] has constant expansion factor, but 
requires a CRS of length proportional to the number of parties times the security 
parameter. Recently and independent from this work, Damgard and Groth [14] 
presented a UCC scheme with a constant expansion factor with a CRS whose 
length is independent of the number of parties. However, their scheme is still 
quite complicated, since it requires interaction, and uses two different types of 

the adversary has seen any commitment using identifier id opened (using an oracle 
that knows a trapdoor) once to any arbitrary value, and moreover, any commitment 
using identifier id' 7 ^ id opened (again using the oracle) an unbounded number of 
times to any arbitrary values. 
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commitments, one a non-malleable commitment scheme, and the other a special 
“mixed commitment scheme.” 

Applications We show constructions of unbounded simulation-sound, unbounded 
non-malleable, and universally composable zero-knowledge (ZK) protocols using 
SSTC schemes in the common reference string (CRS) model. In particular, we 
show how to (1) convert a If-protocol [10] (which is a special three-round, honest- 
verifier protocol where the verifier only sends random bits) into an unbounded 
simulation-sound ZK protocol; and (2) convert an l?-protocol [24] (which is a 
17-protocol with a straight-line extractor) into an unbounded non-malleable ZK 
protocol, and further into a universally-composable ZK protocol. The construc- 
tions are conceptually very simple. In fact, they all share the same structure, and 
all use a technique from Damgard [13] and Jarecki and Lysyanskaya [28]. The 
same technique was also used in Garay et. al. [24] in constructing a universally- 
composable ZK protocol that is secure against adaptive corruptions. 

Our constructions are very efficient, and in particular our construction of 
a universally-composable ZK protocol is more efficient than previous construc- 
tions, at least when starting with a T'-protocol. Compared to UCZK protocols 
based on universally-composable commitment schemes [6,7,14,15], our efficiency 
gain comes mainly from the fact that we avoid the Cook-Levin theorem [8,30],® 
but also from the fact that some of our SSTC schemes are more efficient than 
any UCC schemes, as discussed above. Compared to the UCZK protocol in 
Garay et. al. [24], our savings are twofold: the simpler SSTC construction (with 
a weaker definition) cuts the overhead of the SSTC commitments by half, and 
the direct use of the identities as tags eliminates the need for one-time signatures 
on the protocol transcripts. 

In recent and independent work, Gennaro [25] presented an SSZK protocol® 
that is similar to our construction in Section 4. It uses a new type of commitment 
scheme called multi-trapdoor commitments, and an efficient implementation of 
this scheme based on the strong RSA assumption and a special hash property. A 
multi-trapdoor commitment scheme is similar to an SSTC scheme, except that 
it requires the existence of a different trapdoor (i.e., secret key) corresponding 
to each tag, and its security property corresponding to simulation-sound binding 
requires tags to be pre-chosen by the adversary.^ 

Relation to Non-malleable Commitments We discuss the relation between SSTC 
schemes and NMC schemes [18,16,17,14].® At first glance, binding and non- 

® In previous constructions, they build a UCZK protocol for an NP-complete 
language L (e.g. Hamiltonian Cycle or Satisfiability), and then the UCZK protocols 
for any NP language is reduced to via the Cook-Levin theorem, which is not 
very efficient. 

® It is also concurrent non-malleable ZK, if rewinding is allowed in witness extraction 
^ We have recently defined a static SSTC scheme as a commitment scheme with only 
the second requirement, and note that it is also sufficient in our SSZK and NMZK 
constructions. 

® Technically, when we refer to an NMC scheme, we will always mean an e-non- 
malleable commitment scheme, following the notation proposed in [17]. 
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malleability (or analogously, equivocation and malleability) seem like very dif- 
ferent notions: while the former concerns the adversary’s ability to open a com- 
mitment to multiple values, the latter concerns the adversary’s ability to produce 
and open a commitment to a single value related to a previously committed value. 
However, they are actually closely related, and we shall show that simulation- 
sound binding implies non-malleability (when both are appropriately defined). 
In fact, a similar observation was used implicitly in [16,17,14] to construct NMC 
schemes. In particular, these NMC schemes are all based on trapdoor commit- 
ment schemes that satisfy a weak notion of simulation-sound binding. (Note 
that these results all use body-based definitions instead of tag-based definitions.) 
However, the exact relationship between the notions of simulation-sound binding 
and non-malleability was not known, e.g., if simulation-sound binding is strictly 
stronger than non-malleability, or if they are equivalent. 

We study the exact relationship between these two notions in this paper. To 
do this, we need to resolve some technical issues. First, just as SSTC schemes can 
be tag-based or body-based, NMC schemes can also be tag-based or body-based, 
where a tag-based NMC scheme is informally defined as one in which seeing a 
commitment (to some value v) with a certain tag does not give an adversary any 
advantage in generating a new commitment with a different tag that can later 
be opened to a value related to v. Since we focus on tag-based SSTC schemes, 
we will focus on their relation to tag-based NMC schemes.® (Analogous results 
could be obtained for the relationship between body-based SSTC schemes and 
body-based NMC schemes.) Second, an SSTC scheme is a TC scheme, so to make 
a useful comparison, we consider non-malleable trapdoor commitment (NMTC) 
schemes. Third, since an adversary for an SSTC scheme is allowed to query an 
equivocation oracle, we will also consider NMTC schemes in which an adversary 
is allowed to query an equivocation oracle. 

Finally, we refine our definitions of SSTC schemes and NMTC schemes by 
specifying the number of equivocation oracle queries an adversary is allowed 
to make. An equivocation oracle, on a commit query, produces a commitment 
cbm and on an decommit query, opens cbm to an arbitrary value. We say a 
TC scheme is SSTC(f), if it remains secure if the adversary is allowed to make 
at most £ commit queries to the oracle (with no restriction on the number of 
decommit queries). We define NMTC(£) schemes similarly. We use SSTC(oo) and 
NMTC(oo) to denote the schemes where the adversary can make an unlimited 
number of commit queries. With the refined definitions (except for those related 
to the definition in [14], discussed below), we shall then prove that, for any 
constant £, SSTC(^ -I- 1) is strictly stronger than NMTC(£) and NMTC(f) is 
strictly stronger than SSTC(^). (In particular, note that even an SSTC(l) scheme 
is strictly stronger than an NMC scheme, since an NMTC(O) scheme is at least as 
strong as an NMC scheme.) Furthermore, SSTC(oo) is equivalent to NMTC(oo). 



® Tag-based NMC schemes are also related to UCC schemes. In particular, it can be 
shown that a UCC scheme is also a tag-based NM commitment scheme in which the 
tag is the identity of the committing party. 
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See Figure 1. This makes it clear that the two notions, simulation-sound binding 
and non-malleability, are very closely related. 



SSTC(O) SSTC(l) 




NMTC(O) NMTC(l) 



SSTC(^ - 1) SSTC(^) 




NMTC(.«-1) NMTC(.t) 



SSTC(oo) 

t 

NMTC(oo) 



Fig. 1. The relation between SSTC and NMTC schemes, with one-sided arrows 
denoting strict implication and two-sided arrows denoting equivalence 



The definition of non-malleable commitments in Damgard and Groth [14] 
(which they call reusable non-malleable commitments) does not quite fit into the 
equivalence and separation results above. Their definition states that seeing one 
or more commitments does not give another party any advantage in generating 
one or more commitments that can later be opened to values related to the 
values in the original commitments. However it can be shown that SSTC(oo) 
implies a reusable NMC scheme. As mentioned above, one can characterize their 
construction of a reusable NMC scheme as constructing a trapdoor commitment 
schemes that satisfies a slightly weaker notion of simulation-sound binding, and 
showing that this implies a reusable NMC scheme. 

Due to space limitations, some proofs to our theorems are omitted, and can 
be found in the full version [31]. 



2 Preliminaries and Definitions 

We will use signature schemes that are existentially unforgeable against adaptive 
chosen-message attacks [27]. However, some of these may only be used for a single 
signature, and for these, more efficient one-time signature scheme constructions 
may be used [19]. 

A commitment scheme is a two-phase protocofi*^ between a sender and a re- 
ceiver, both probabilistic polynomial-time Turing machines, that runs as follows. 
In the commitment phase, the sender commits to a value v by computing a pair 
(com, dec) and sending com to the receiver, and in the decommitment phase, 
the sender reveals (u, dec) to the receiver, who checks whether the pair is valid. 

Informally, a commitment scheme satisfies the hiding property, meaning that 
for any v\ yf V 2 of the same length, a commitment to v\ is indistinguishable from 
a commitment to V 2 , and the binding property, meaning that once the receiver 
receives com, the sender cannot open com to two different values, except with 
negligible probability. 

We define a standard non-interactive commitment scheme. We do not consider re- 
laxations to interactive commitment schemes. 
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We will always assume that commitments are labeled with a tag. While this 
is not a factor in the security of basic commitment schemes, it will be useful in 
defining certain enhanced commitment schemes, as will be obvious below. We 
also assume that there is a commitment generator function that generates a set 
of parameters for the commitment scheme. In other papers this is often referred 
to as a trusted third party or as the common reference string generation, and 
it is especially important when we define trapdoor commitment schemes be- 
low. (We include it in the basic definition to more conveniently define trapdoor 
commitment schemes.) 

Formally, we define a commitment scheme as follows. 

Definition 1 . [Commitment Scheme] CS = (Cgen, Ccom, Cver) is a com- 
mitment scheme if Cgen, Ccom, and Cver are probabilistic polynomial-time algo- 
rithms such that 

— Completeness For all v and tag, 

Pr[pk ^ Cgen(l^); (com, dec) ^ Ccovn{pk, v, tag) : 

Cver {pk, com V, tag, dec) = 1] = 1. 

— Binding There is a negligible function a{k) such that for all non-uniform 
probabilistic polynomial-time adversaries A, 

Pr[pk ^ Cgen(l^); (com, tag, t>i, U2, deci, dec2) ^ A{pk) : 

(Cver{pk,com,vi,tag,deci) = Cver{pk,com,V 2 ,tag,dec 2 ) = 1) 

A (ui yf t>2)] ^ev a{k). 

— Hiding For all pk generated with non-zero probability by Cgen(l^), for all 
v\,V 2 of equal length, and for all tag, the following probability distributions 
are computationally indistinguishable: 

{(comijdeci) ^ Ccom{pk,vi, tag) : comi} and 
{(com2, dec2) <— Ccom(pA:, V 2 , tag) : com2}. 

Next, we define trapdoor commitment schemes. (We borrow some notation 
from Reyzin [35].) Informally a trapdoor commitment scheme has the property 
that there exists a trapdoor that would allow one to generate a “fake” com- 
mitment along with information that would later allow to decommit to any 
subsequently given value v, and that this commitment/decommitment pair is 
indistinguishable from an actual commitment to v and a subsequent decommit- 
ment 

We do not use the term “common reference string” in our definition, since these 
parameters may be generated in a number of ways, and in particular, they may 
be generated by the receiver. In protocols where this value actually comes from a 
common reference string, we will make this clear. 
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Definition 2. [Trapdoor Commitment Scheme] 

TC = (TCgen, TCcom, TCver, TCfakeCom, TCfakeDecom) is a trapdoor commit- 
ment scheme z/ TCgen(l^) outputs a public/secret key pair (pk,sk), TCgeUp^, 
is a function that restricts the output 0 / TCgen to the public key, (TCgenp^,, 
TCcom, TCver) is a commitment scheme and TCfakeCom ond TCfakeDecom are 
probabilistic polynomial-time algorithms such that 

— Trapdoor Property For all identifiers tag and values v, the following 
probability distributions are computationally indistinguishable: 

{{pk, sk) ^ TCgen(l^); (com, f) <— TCfakeCom(pA:, sk, tag); 
dec ^ TCfakeDecom(^, n) : {pk, tag, v, com, dec)} 

and 

{{pk, sk) ^ TCgen(l^); (com, dec) <— TCcom(pfc, v, tag) : 

{pk, tag, V, com, dec)}. 



3 Simulation-Sound Trapdoor Commitments 

In [24], simulation-sound trapdoor commitment (SSTC) schemes were intro- 
duced, in order to construct a universally-composable zero-knowledge (UCZK) 
protocol secure against adaptive corruptions. Intuitively, they defined an SSTC 
scheme as a trapdoor commitment scheme with a simulation-sound binding prop- 
erty that guarantees that a commitment made by the adversary using tag is bind- 
ing, even if the adversary has seen any commitment using tag opened (using a 
simulator that knows a trapdoor) once to any arbitrary value, and moreover, any 
commitment using tag' yf tag opened (again using the simulator) an unbounded 
number of times to any arbitrary values. 

Here we introduce a new definition for an SSTC scheme where the simulation- 
sound binding property only guarantees that a commitment made by the ad- 
versary using tag is binding, if the adversary has never seen the simulator 
open a commitment using tag (i.e., not even once, as is allowed in the previ- 
ous definition). Obviously this is a weaker property. However, we will show 
that it also suffices for the desired application in [24], namely, for constructing 
UCZK protocols secure against adaptive adversaries. 

Definition 3. [SSTC Scheme] 

TC = (TCgen, TCcom, TCver, TCfakeCom, TCfakeDecom) is an SSTC scheme if 
TC is a trapdoor commitment scheme such that 

— Simulation-Sound Binding There is a negligible function a{k) such that 
for all non-uniform probabilistic polynomial-time adversaries A, 



12 



Note that in addition to the simulation-sound binding property being modified, our 
definition of the underlying trapdoor commitment scheme is slightly different than 
the one given in [24]. 
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Pr[{pk, sk) <— TCgen(l^); (com, tag, ui, U2, deci, dec2) ^ A^^’‘'“*‘{pk) : 

(TCver(p/c, com, ui, deci) = TCver(p/c, com, W2, dec2) = 1) 

A (ui ^ V 2 ) A tag ^ Q] 

^ev ^{k^ , 

where Opk,sk operates as follows, with Q initially set to 0; 

— On input (commit, tag): 

compute (corn, f) ^ TCfakeCom(pfc, sk, tag), store (corn, tag, f), and add 
tag to Q. Return com. 

— On input {decomm\t, com, v): 

if for some tag and some f, a tuple {com, tag, f) is stored, compute 
dec <— TCfakeDecom(^, u). Return dec. 

For the remainder of the paper, SSTC will refer to this new definition, and 
SSTC(GMY) will refer to the old definition of [24]. 

Now we construct SSTC schemes based on specific cryptographic assump- 
tions, and sketch the proofs showing that they achieve simulation-sound binding. 

SSTC scheme based on any one-way function Here we present an efficient SSTC 
scheme TC based on a signature scheme, which in turn may be based on any 
one-way function [36]. TC is the aHC scheme from Canetti et al. [7] with the 
following changes: 

1. The underlying commitment scheme based on one-way permutations is 
replaced by the commitment scheme of Naor [32] based on pseudorandom 
generators (which can be built from any one-way function) . 

2. An extra parameter tag is included, and the one-way function / and cor- 
responding NP language {y|3 x s.t. y = f{x)} used in the underlying non- 
interactive Feige-Shamir trapdoor commitment [21] is replaced by the sig- 
nature verification relation {((sig_vk, tag),a)\l = sig_verify(sig_vk, tag, a)}. 

We omit the detailed description and proof of the the simulation-soundness 
of the scheme in this extended abstract. 

SSTC scheme based on DSA Here we present an efficient SSTC scheme TC 
based on DSA. It is a simplified version of the DSA-based SSTC(GMY) scheme 
from [24]. TCgen(l^) generates a DSA public/private key pair {pk,sk), where 
pk = {g,p, q, y) and sk = {g,p, q, x). For a message m € Zg, TCcom((g,p, q, y),m, 
tag) first computes a^Zg, (/'<—(/“ mod p, and h ^ mod p. (Note 

that if s is the discrete log of h over g' , then {g' mod q, s) is a DSA signature for 
tag.) Then it generates a Pedersen commitment [34] to m over bases {g' , h), i.e., it 
generates (3 <^Zg and computes the commitment/decommitment pair {{g', c),f3), 
where c ^ (p')^/i™. TCver{{g,p,q,y), {g' ,c),m, tag, (3) verifies that c= {g')^h™, 
where h = g^P’^Oyd mod p. TCfakeCom{{g,p,q,y),{g,p,q,x),tag') computes a 
DSA signature {g'',s) on tag' using the secret key (g,p,q,x), computes the val- 
ues g' ^ {g^P°'3')y9"Y mod p and h ^ {g')'‘ mod p, generates (3' ^Zg, and 
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sets c<—h^ mod p. It outputs commitment {g',c) and auxiliary information 
(q,P\s). Then TCfakeDecom(((7, /?', s), to) outputs (to, (/?' — to)s mod q), which 
is a decommitment to to. 

To show the simulation-sound binding property, we show that if an adversary 
can break this property, we can break DSA as follows. (We assume that DSA 
is existentially unforgeable against an adaptive chosen-message attack.) Take a 
DSA key vko and its corresponding DSA signature oracle (from the definition of 
existential unforgeability against an adaptive chosen-message attack). It is easy 
to see that the equivocation oracle, and in particular the commit queries to that 
oracle, may be implemented using the DSA signature oracle on the requested 
tag's. 

Now say the adversary gives a double opening with tag, for which no com- 
mitment was requested, and thus no call to the DSA signature oracle was 
made. In particular, say it gives openings (jn,f3) and (to',/ 3') of {g' ,c). Then 
{g' mod q, {13' — f3)/{m — m!) mod q) is a signature on tag, breaking DSA. 

SSTC scheme based on Cramer-Shoup signatures Here we present an efficient 
SSTC scheme TC based on Cramer-Shoup signatures [11] and as secure as 
strong RSA. (We note that the more efficient version of the Cramer-Shoup sig- 
nature scheme in Fischlin [22] could be used here as well to obtain an even 
more efficient SSTC scheme.) TCgen(l^) generates a public/private key pair 
{pk,sk) for Cramer-Shoup signatures, where pk = {N,h,x,e',H) and sk = 
(p,q). For a message to G {0,1}^, TCcovn{{N, h, x, e' , H),m, tag) first com- 
putes {y',x',e) as in the Cramer-Shoup signature protocol for tag, and sets 
x" '> mod N. (Note that if y is eth root of x" modulo N , then (e, y, y') 

is a Cramer-Shoup signature for tag.) Then it uses the unconditionally-hiding 
commitment scheme from [9] based on e-one-way homomorphisms (specifically, 
based on the RSA encryption function with public key (e, N), i.e., /(a) : a® mod 
N) over base x" to commit to to. That is, it chooses (3 ^ and computes 
the commitment/decommitment pair {{y' ,e,c), j3), where c<— (x")™/?® mod N. 
TCver((A^, h, x, e' , H), {y' , e, c), to, tag, (3) verifies that e is an odd k + 1-bit inte- 
ger different from e' , c = (x")'"/3® mod N , and x" = mod N, where x' 

is computed from y' and e as in the Cramer-Shoup signature protocol. 

TCfakeCom((fV, h, x, e' , H), {p, q), tag') first computes a signature (e, y, y') on 
tag' using the secret key. Then it computes x' ^ {y')'' '> mod N and 

x" ^ mod N, generates f3' Z^, and sets c ^ (/30* N. It outputs 

commitment {y',e,c) and auxiliary information {N,f3',y). Finally, the function 
TCfakeDecom((fV, /?', y), to) outputs {m,f3'y~™ mod A^), which is a decommit- 
ment to TO. 

To show the simulation-sound binding property, we show that if an adversary 
can break this property, we can break the Strong RSA assumption. The proof ba- 
sically follows the proof of security (i.e., existential unforgeability against adap- 
tive chosen-message attack) of the Cramer-Shoup signature scheme from [11], 
which for brevity we will call the CSSig proof. As in the CSSig proof, we di- 
vide adversaries into Types I, II, and III. For each type, we respond to commit 
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queries to the equivocation oracle using signatures as computed in the responses 
to the corresponding signature queries in the CSSig proof. Finally, instead of the 
adversary producing a forged signature, the adversary gives a double opening of 
a commitment with some tag for which no commit query was made (and thus 
for which no corresponding signature query was necessary). In particular, say 
the adversary gives openings (m, /3) and (m',/3') of (y',e,c) with m > m' . Then 

^ gf Type I and Type II adversaries, i.e., 

when e is produced in response to a commit query, e is prime and e > m — m' . 
Therefore the value y such that = x mod N may be computed (e.g., using the 
Extended Euclidean Algorithm) and {e,y,y') is a signature on tag. Then as in 
the corresponding cases in the CSSig proof, this can be shown to break the stan- 
dard RSA assumption. In the case of a Type III adversary, e is not necessarily 
prime, so we may not necessarily obtain a signature on tag. However, the CSSig 
proof simply uses the fact that x" = {(}' (5~^Y N to show that Strong RSA 

can be broken, and the equation (a;")™”™ = (/3'/3“^)® mod N that we obtain 
can be used in a similar way to show that Strong RSA can be broken. We omit 
the details. 

4 Application to ZK Proofs 

We show how an SSTC scheme can be used to construct unbounded simulation- 
sound ZK protocols, unbounded non-malleable ZK protocols, and universally 
composable ZK protocols. Our constructions are conceptually simpler than those 
given by Garay et al. [24]. 

All our results will be in the common reference string (CRS) model, which 
assumes that there is a string uniformly generated from some distribution and is 
available to all parties at the start of a protocol. Note that this is a generalization 
of the public random string model, where a uniform distribution over fixed-length 
bit strings is assumed. 

4.1 Unbounded Simulation Sound and Non-malleable ZK 

Intuitively, a ZK protocol is unbounded simulation sound if an adversary cannot 
convince the verifier of a false statement with non-negligible probability, even 
after interacting with an arbitrary number of (simulated) provers. We refer the 
readers to [24] for a formal definition. 

Our construction starts with a class of three-round, public-coin, honest- 
verifier zero-knowledge protocols, also known as A-protocols [10]. 

Consider a binary relation R(x, w) that is computable in polynomial time. 
A A-protocol n for the relation R proves membership of x in the language 
Lr = {a:|3w, s.t. R{x, w) = 1}. For a given a;, let (a, c, z) denote the conversation 
between the prover and the verifier. To compute the first and the final messages, 
the prover invokes efficient algorithms an{x, w, r) and zn{x, w, r, c), respectively, 
where w is the witness, r is the random bits, and c is the challenge from the 
verifier (as the second message). Using an efficient predicate (j){x,a,c, z), the 
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verifier decides whether the conversation is accepting with respect to x. The 
relation R, and the algorithms a(-), z(-) and ip(-), are public. 

We assume the protocol II has a simulator Sn that, taking the challenge 
as input, generates an accepting conversation. More precisely, (a, c, z) ^ Sn{c), 
where that the distribution of (a, c, z) is computationally indistinguishable from 
the real conversation. 

The protocol USS^j,](a;) is shown in Figure 2, and uses an SSTC scheme TC. 
Say 77 is a Tf-protocol for relation R. The prover generates a pair (sig_vk, sig_sk) 
for a strong one-time signature scheme and sends sig_vk to the verifier. Then the 
prover generates the first message a of 77 and sends its commitment com to the 
verifier, using the signature verification key sig_vk as the commitment tag. After 
receiving the challenge c, the prover generates and sends the third message z of 
77, opens the commitment com, signs the entire transcript using the signing key 
sig_sk, and sends the signature on the transcript to the verifier. (To be specific, 
the transcript consists of all values sent or received by the prover in the protocol, 
except the final signature.) 



prover 

(sig_vk, sig_sk) +- sig_geni(R) 

a <— an(x, w, r) 

(com , dec) ^ TCcom(pfc, a, sig_vk) . 


sig_vk, com 


verifier 


c 




2 <— zn{x, w, r, c) 
s <— sig_sigrij(sig_sk, transcript) . 


a, dec, z, s 


- TCver(p/c, com , a, sig.vk, dec) 




(j)n{x,a,c, z) 

sig_verifyj^(sig_vk, transcript, s) 



Fig. 2. USS^fc] (x): An unbounded simulation-sound ZK protocol for relationship 
R with common input x and common reference string pk, where pk is drawn 
from the distribution TCgen(l^). The prover also knows the witness w such that 
R{x, w) = 1. 



Theorem 1. The protocol USS^j,](a;) is a USSZK argument. 

Intuitively, a ZK protocol is unbounded non-malleable if an efficient witness 
extractor successfully extracts a witness from any adversary that causes the 
verifier to accept, even when the adversary is also allowed to interact with any 
number of (simulated) provers. Again, we refer the readers to [24] for a formal 
definition. 

Our construction of the NMZK protocol is very similar to that of the USSZK 
protocol presented above, where the only difference is that the 77-protocol is re- 
placed by an 17-protocol. Recall that an 17-protocol [24] is like a 77-protocol with 
the additional property that it admits a polynomial-time, straight-line extractor 
(an 17-protocol works in the CRS model). 







394 Philip MacKenzie and Ke Yang 



The protocol (a;) is very similar to the protocol in Figure 2, but note 

that here we assume that U is an 17-protocol with cr being the CRS. 

Theorem 2. The protocol NM^^, is an NMZK argument of knowledge for 
the relation R. 



4.2 Universally Composable ZK 

The universal composability paradigm was proposed by Canetti [5] for defining 
the security and composition of protocols. To define security one first specifies an 
ideal functionality using a trusted party that describes the desired behavior of 
the protocol. Then one proves that a particular protocol operating in a real-life 
model securely realizes this ideal functionality, as defined below. Here we briefly 
summarize the framework. 

A (real-life) protocol tt is defined as a set of n interactive Turing Machines 
Pi,. .. ,Pn, designating the n parties in the protocol. It operates in the presence 
of an environment Z and an adversary A, both of which are also modeled as 
interactive Turing Machines. The environment Z provides inputs and receives 
outputs from honest parties, and may communicate with A. A controls (and 
may view) all communication between the parties. (Note that this models asyn- 
chronous communication on open point-to-point channels.) We will assume that 
messages are authenticated, and thus A may not insert or modify messages be- 
tween honest parties . A also may corrupt parties, in which case it obtains the 
internal state of the party. (In the non-erasing model, the internal state would 
encompass the complete internal history of the party.) 

The ideal process with respect to a functionality P, is defined for n parties 
P\, . . . , Pn, an environment Z, and an (ideal-process) adversary S. However, 
P\, . . . , Pn are now dummy parties that simply forward (over secure channels) 
inputs received from Z to P, and forward (again over secure channels) outputs 
received from P to Z. Thus the ideal process is a trivially secure protocol with 
the input-output behavior of P . 

The zero-knowledge functionality. The (multi-session) ZK functionality as de- 
fined by Canetti [5] is given in Figure 3. In the functionality, parameterized by 
a relation R, the prover sends to the functionality the input x together with a 
witness w. If R{x, w) holds, then the functionality forwards x to the verifier. As 
pointed out in [5], this is actually a proof of knowledge in that the verifier is 
assured that the prover actually knows w. 

Garay et al. [24] proved that any “augmentable” NMZK protocol can be 
easily converted to a UCZK protocol in the iF^j^g-hybrid model, assuming static 
corruptions. Intuitively, an NMZK protocol is augmentable if the first message 
sent by the prover contains the common input x and a special field aux in which 
the prover can fill with an arbitrary string without compromising security. (In 

This feature could be added to an unauthenticated model using a message authen- 
tication functionality as described in [5]. 
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■^ZK proceeds as follows, running parties Pi, . . . , P„, and an adversary S: 

— Upon receiving (zk-prover, sid, ssid, Pi, Pj, x, w) from Pi: If R{x, w) then send 
(ZK-PROOF, sid, ssid, Pi, Pj, x) to Pj and S. Otherwise, ignore. 


Fig. 3. The (multi-session) zero- 


-knowledge functionality (for relation R) 


Pi (prover) 

a ^ an{x, w, r, a) 
tag ^ {Pi, Pj) 


Pj (verifier) 


(com , dec) TCcom(pfc, a, tag) 


x, com 

c 


a: <— zn{x, w, r, c, a) 


a, dec, 2 , , 

_J ^ ^ tag ^ {Pi, Pj,) 

TCver(pfc, com , a, tag, dec) 

(f>n{x,a,c, z) 



Fig. 4. MYZK^j, (x): A UCZK protocol for relationship R with common ref- 
erence string (pk,a) where pk is drawn from the distribution TCgen(l^) and cr 
is drawn from the distribution of the CRS for protocol II. 



the conversion to UCZK in [24], the auxiliary string contains the sid, the ssid, 
and the identities of the prover and verifier.) 

It can be readily verified that the protocol NM^^, (x) can be easily made 

augmentable by adding x and aux in the first message. We denote the slightly 
modified protocol where the aux field is set to {sid, ssid, Pi, Pj) by ANM^^ 

Then it follows that ANM^^ is a UCZK protocol for relation R, assuming 
static corruptions. 

However, one can simplify this protocol by removing the one-time signature 
scheme, only including the identities of the prover and verifier in the auxiliary 
string, and using this auxiliary string as the tag of the commitment scheme. This 
simplified scheme, (a;), is shown in Figure 4. (Note that since we are 

assuming authenticated communication in the UC framework, the identities Pi 
and Pj will be known to both parties, and thus do not need to be explicitly 
sent in our protocol.) Furthermore, this protocol can be easily modified into one 
that remains secure against adaptive corruption in the erasing model. In fact, all 
that is needed is to have the prover erase the randomness used in the 17-protocol 
before sending the final message. 

Theorem 3. The protocol MYZK^^, £,] (x) is a UCZK protocol for relation R, as- 
suming static corruptions. By erasing the randomness (r) used in the 12 -protocol 
before the final message, it is a U CZK protocol for relation R, assuming adaptive 
corruption (in the erasing model). 
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5 Comparison to Non-malleable Commitments 

We explore the exact relation between SSTC schemes and NMC schemes. 

Our definition for non-malleable (NM) commitments is based on the defini- 
tion in [17], which, technically speaking, defines the notion of e-non-malleability, 
instead of strict non-malleability. For the clarity of presentation, we shall use 
the term “non-malleability” to mean e-non-malleability, and will note any places 
where our results have application to strict non-malleability. 

Informally, similar to the definition in [17], we say a commitment scheme is 
non-malleable if when an adversary sees a commitment corrii, generates its own 
commitment com2, and sees corrii opened, it cannot then open com2 to a value 
related to corrii with any greater probability than a simulator that never saw 
corrii in the first place. Note that this is also called non-malleability with respect 
to opening [16] and differs from the original definition of [18] that was discussed 
in the introduction, and which is also called non-malleahility with respect to 
commitment. Our definition differs from the definition in [17] as follows. 

— We only define NM trapdoor commitment (NMTC) schemes, since that is 
what will be of most interest in comparisons to SSTC schemes. Non-trapdoor 
versions of these definitions are straightforward. 

— We use tag-based definitions instead of body-based definitions. Again this is 
what will be of most interest in comparisons to SSTC schemes. Body-based 
definitions are straightforward. In fact, most of our results relating SSTC 
schemes and NMTC schemes also hold when these schemes are defined using 
body-based definitions. We will discuss this later. 

Due to space limitations, we omit the formal definition of an NMTC scheme. 
It may be obtained in a straightforward manner from the formal definition in [17] 
and the changes described above. 

As mentioned in the introduction, the recent work of Damgard and Groth [14] 
generalizes and strengthens the definition of non-malleable commitments to be 
reusable, i.e., to have the property that seeing one or more commitments does 
not give another party any advantage in generating one or more commitments 
that can later be opened to values related to the values in the original com- 
mitments. Their definition also stipulates that the distribution of committed 
messages is dependent on the public key. However, we will continue to use the 
simpler definition, since it exemplifies the relation between SSTC schemes and 
NMTC schemes. Later we will discuss how to obtain similar relations to reusable 
NMTC schemes. 

Note that we can generalize the definition of NMTC to NMTC(^) schemes, 
which are NMTC schemes in which the adversary is allowed to query an oracle 
Opk,sk as defined in the SSTC definition, but with at most I commit queries al- 
lowed, and with the restriction that the commitment produced by the adversary 
has a tag that is not used in any of the commit queries. Note that an NMTC 

Slightly more formally, we say that it is e- non- malleable if for all e it cannot do this 
with probability non- negligibly greater than t. 
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scheme is an NMTC(O) scheme. We use £ = oo to denote an oracle which accepts 
an unbounded number of commit queries. 

We similarly generalize the definition of SSTC schemes and consider SSTC(^) 
schemes. Then an SST C(0) scheme is just a TC scheme, and an SST C(oo) scheme 
is what we have called an SSTC scheme. 

As mentioned above, we have defined NMTC schemes as tag-based, as op- 
posed to body-based, as usually seen in literature [18,16,23,17,14]. However, this 
is not a significant distinction since there exists fairly generic reductions from 
one to the other. Our next theorem shows such a reduction from body-based 
NMTC schemes to tag-based ones. 

Here, we assume the commitment scheme allows commitments to strings of 
arbitrary length. A similar theorem could be shown for commitment schemes 
which allow only fixed length commitments, say of length equal to the security 
parameter. 

Theorem 4. Let TChe a body-based NMTC scheme. Let TC^ be TC, but with the 
tag added to the message being committed. That is, TCgen^(l^) returns the result 
o/TCgen(l^), TCcom {pk,v, tag) returns the result of TCcom{pk, {v, tag), tag), 
and T Cver' {pk, com, V, tag, dec) returns the result of TCver {pk, com, {v, tag), tag, 
dec). Then TC^ is a tag-based NMTC scheme. 

Considering the problem of converting tag-based SSTC or NMTC schemes to 
body-based SSTC or NMTC schemes, it seems that a simple construction like the 
one in Theorem 4 does not suffice. Instead, one could construct a body-based 
scheme by generating a verification/signing key pair for a strong one-time signa- 
ture scheme, using the verification key as the tag in the tag-based commitment, 
signing the tag-based commitment using the signing key, and giving the pair (the 
tag-based commitment and the associated signature) as the full commitment. As 
this is a fairly standard technique, used in, e.g. [24], we omit the analysis here. 



5.1 Relations between SSTC and NMTC 

First we show that for all t' > 0, an SSTC(fi -I- 1) scheme is also an NMTC(^) 
scheme, and an NMTC(^) scheme is also an SSTC(^ -I- 1) scheme. 

Theorem 5. Let TC be an SSTC(t' -I- 1) scheme. Then TC is an NMTC(^) 
scheme. 



Theorem 6. Let TC be an NMTC(£) scheme. Then TC is an SSTC(^) scheme. 

To relate our results to reusable non-malleable commitment schemes as de- 
fined in [14], we need to consider adversaries that input a vector of commitments 
(and later decommitments), and output a vector of commitments (and later de- 
commitments). To be specific, let {t, u)-NMTC(^) denote a reusable NMTC com- 
mitment scheme with an input vector of size t and an output vector of size u. 
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Then using a proof similar to above, but with some additional ideas from [14], 
we can prove the following theorem d® 

Theorem 7. Let TC be an SSTC{£ + t) scheme. Then TC is a (t, m)-NMTC(^) 
scheme. 

Finally, we show the following separation results. 

Theorem 8. Assuming the hardness of the discrete logarithm problem, there 
exists an SSTC(t') scheme that is not NMTC(t'), for every £ >0. 



Theorem 9. If there exists an NMTC(£) scheme, then there exists an NMTC(^) 

scheme that is not SSTC(t'+ 1). 

References 

1. N. Baric and B. Pfitzmann. Collision-free accumulators and fail-stop signature 
schemes without trees. In Advances in Cryptology - EUROCRYPT ’97 (LNCS 
1233), 480-494, 1997. 

2. D. Beaver. Adaptive zero-knowledge and computational equivocation. In 28th ACM 
Symp. on Theory of Computing, 629-638, 1996. 

3. M. Blum. Coin flipping by telephone. In IEEE Spring COMPCOM, pp. 133-137, 
1982. 

4. G. Brassard, D. Chaum, and C. Crepeau. Minimum Disclosure Proofs of Knowl- 
edge. JCSS, 37(2): 156-189, 1988. 

5. R. Canetti. Universally composable security: A new paradigm for cryptographic 
protocols. In 4£irid IEEE Symp. on Foundations of Computer Sci., 136-145, 2001. 

6. R. Canetti and M. Fischlin. Universally composable commitments. In Advanees in 
Cryptology - CRYPTO 2001 (LNCS 2139), 19-40, 2001. 

7. R. Canetti, Y. Lindell, R. Ostrovsky and A. Sahai. Universally composable two- 
party computation. In 34th ACM Symp. on Theory of Computing, 494-503, 2002. 
Full version in ePrint archive, Report 2002/140. http://eprint.iacr.org/, 2002. 

8. S. A. Cook. The complexity of theorem-proving procedures. In 3rd IEEE Symp. 
on Foundations of Computer Sci., 151-158, 1971. 

9. R. Cramer and I. Damgard. Zero-Knowledge Proofs for Finite Field Arithmetic, 
or: Can Zero-Knowledge Be for Free? In Advances in Cryptology - CRYPTO ’98 
(LNCS 1462), pages 424-441, 1998. 

10. R. Cramer, I. Damgard, and B. Schoenmakers. Proofs of partial knowledge 
and simplified design of witness hiding protocols. In Advances in Cryptology - 
CRYPTO ’94 (LNCS 839), pages 174-187, 1994. 

11. R. Cramer and V. Shoup. Signature scheme based on the strong RSA assumption. 
In ACM Trans, on Information and System Security 3(3):161-185, 2000. 

12. I. Damgard. On the existence of bit commitment schemes and zero-knowledge 
proofs. In Advances in Cryptology - CRYPTO ’89 (LNCS 435), 17-29, 1989. 

As in [14], we change the definition of a valid relation (over vectors of messages) 
to one in which all messages including T are allowed, but where the probability of 
the relation being true cannot be increased by changing a message in the second 
(adversarially-chosen) vector to T. 




On Simulation-Sound Trapdoor Commitments 399 



13. I. Damgard. Efficient Concurrent Zero-Knowledge in the Auxiliary String Model. 
In Advances in Cryptology - EUROCRYPT 2000 (LNCS 1807), 418-430, 2000. 

14. I. Damgard and J. Groth. Non-interactive and reusable non-malleable commitment 
schemes. In 35th ACM Symp. on Theory of Computing, 426-437, 2003. 

15. I. Damgard and J. Nielsen. Perfect hiding and perfect binding universally compos- 
able commitment schemes with constant expansion factor. In Advances in Cryptol- 
ogy - CRYPTO 2002 (LNCS 2442), 581-596, 2002. Full version in ePrint Archive, 
report 2001/091. http://eprint.iacr.org/, 2001. 

16. G. Di Grescenzo, Y. Ishai, and R. Ostrovsky. Non-interactive and non-malleable 
commitment. In 30th ACM Symp. on Theory of Computing, 141-150, 1998. 

17. G. Di Grescenzo, J. Katz, R. Ostrovsky, and A. Smith. Efficient and Non- 
Interactive Non-Malleable Commitment. In Advances in Cryptology - EURO- 
CRYPT 2001 {LNCS 20A5), 40-59,2001. 

18. D. Dolev, C. Dwork and M. Naor. Non-malleable cryptography. SIAM J. on Corn- 
put., 30(2):391-437, 2000. Also in 23rd ACM Symp. on Theory of Computing, 
542-552, 1991. 

19. S. Even, O. Goldreich, and S. Micali. On-line/Off-line digital signatures. J. Cryp- 
tology 9(l):35-67 (1996). 

20. U. Feige and A. Shamir. Witness Indistinguishable and Witness Hiding Protocols. 
In 22nd ACM Symp. on Theory of Computing, 416-426, 1990. 

21. U. Feige and A. Shamir. Zero-Knowledge Proofs of Knowledge in Two Rounds. In 
Advances in Cryptology - CRYPTO ’89 (LNCS 435), 526-544, 1989. 

22. M. Fischlin. The Cramer-Shoup strong-RSA signature scheme revisited. In Public 
Key Cryptography - PKC 2003 (LNCS 2567), 116-129, 2003. 

23. M. Fischlin and R. Fischlin. Efficient non-malleable commitment schemes. In Ad- 
vances in Cryptology - CRYPTO 2000 (LNCS 1880), 413-431, 2000. 

24. J. A. Garay, P. MacKenzie, and K. Yang. Strengthening Zero-Knowledge Protocols 
using Signatures. In Advances in Cryptology - EUROCRYPT 2003 (LNCS 2656), 
177-194, 2003. 

25. R. Gennaro. Improved Proofs of Knowledge Secure under Goncurrent Man-in- 
the-middle Attacks and their Applications. In ePrint Archive, report 2003/214. 
http://eprint.iacr.org/, 2003. 

26. O. Goldreich, S. Micali and A. Wigderson. Proofs that yield nothing but their valid- 
ity or All languages in NP have zero-knowledge proof systems. J. ACM, 38(3) :691- 
729, 1991. 

27. S. Goldwasser, S. Micali and R. Rivest. A digital signature scheme secure against 
adaptive chosen-message attacks. SIAM J. Comput., 17:281-308, 1988. 

28. S. Jarecki and A. Lysyanskaya. Adaptively Secure Threshold Gryptography: In- 
troducing Concurrency, Removing Erasures. In Advances in Cryptology - EURO- 
CRYPT 2000 (LNCS 1807), 221-242, 2000. 

29. D. W. Kravitz. Digital signature algorithm. U.S. Patent 5,231,668, 27 July 1993. 

30. L. A. Levin. Universal sorting problems. Problemy Peredaci Informacii, 9:115-116, 
1973. In Russian. Engl, trans.: Problems of Information Transmission 9:265-266. 

31. P. MacKenzie and K. Yang. On simulation-sound trapdoor commitments (full ver- 
sion). Available on the Cryptology ePrint Archive: 

http: //eprint . iacr . org/2003/252. 

32. M. Naor. Bit commitment Using Pseudo-Randomness. J. Cryptology 4(2):151-158 
(1991). 

33. M. Naor, R. Ostrovsky, R. Venkatesan, and M. Yung. Perfect zero-knowledge ar- 
guments for NP can be based on general complexity assumptions. In Advances in 
Cryptology - CRYPTO ’92 (LNCS 740), 196-214, 1992. 




400 



Philip MacKenzie and Ke Yang 



34. T. P. Pedersen. Non-Interactive and Information-Theoretic Secure Verifiable Secret 
Sharing. In Advances in Cryptology - CRYPTO ’91 (LNCS 576), 129-140, 1991. 

35. L. Reyzin. Zero-knowledge with public keys. Ph.D. Thesis, MIT, 2001. 

36. J. Rompel. One-way functions are necessary and sufficient for secure signatures. 
In 22nd ACM Symp. on Theory of Computing, 387-394, 1990. 

37. A. Sahai. Non-malleable non-interactive zero knowledge and adaptive chosen- 
ciphertext security. In 40th IEEE Symp. on Foundations of Computer Sci., 543- 
553, 1999. 




Hash Function Balance 
and Its Impact on Birthday Attacks 



Mihir Bellare and Tadayoshi Kohno 

Dept, of Computer Science & Engineering, University of California, San Diego 
9500 Gilman Drive, La Jolla, CA 92093, USA 
{mihir ,tkohno}@cs .ucsd.edu 
http : //www-cse .ucsd.edu/users/ {mihir .tkohno} 



Abstract. Textbooks tell us that a birthday attack on a hash function 
h with range size r requires trials (hash computations) to find a 
collision. Bnt this is quite misleading, being true only if h is regular, 
meaning all points in the range have the same number of pre-images 
under h; if h is not regular, fewer trials may be required. But how much 
fewer? This paper addresses this question by introducing a measure of 
the “amount of regularity” of a hash function that we call its balance, 
and then providing estimates of the success-rate of the birthday attack, 
and the expected number of trials to hnd a collision, as a function of 
the balance of the hash function being attacked. In particular, we will 
see that the number of trials can be signihcantly less than for hash 
functions of low balance. This leads us to examine popular design prin- 
ciples, such as the MD (Merkle-Damgard) transform, from the point of 
view of balance preservation, and to mount experiments to determine 
the balance of popular hash functions. 



1 Introduction 

Birthday attacks. Let h : D ^ R he a , hash function. In a birthday attack, 
we pick points . . . ,Xq from D and compute yi = h { xi ) for z = 1, . . . , g. The 
attack is successful if there exists a collision, i.e. a pair i,j such that Xi yf Xj but 
Vi = Vj- We call q the number of trials. 

There are several variants of this attack which differ in the way the points 
xi, . . . , Xg are chosen (cf. [4,8,9,10]). The one we consider is that they are chosen 
independently at random from D .^ 

Textbooks (eg. Stinson [8, Section 7.3]) say that (due to the birthday phe- 
nomenon which gives the attack its name) a collision is expected within 
trials, where r denotes the size of the range of h. In particular, they say that 

^ One might ask how to mount the attack (meaning how to pick random domain 
points) when the domain is a very large set as in the case of a hash function like 
SHA-1 whose domain is the set of all strings of length at most 2®^. We would simply 
let h be the restriction of SHA-1 to inputs of some reasonable length, like 161 bits 
or 320 bits. A collision for h is a collision for SHA-1, so it suffices to attack the 
restricted function. 



C. Cachin and J. Camenisch (Eds.): EUROCRYPT 2004, LNCS 3027, pp. 401-418, 2004. 
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collisions in a hash function with output length m bits can be found in about 
2 m /2 This estimate is the basis for the choice of hash function length m, 

which is typically made just large enough to make 2"^/^ trials infeasible. 

However Stinson’s analysis [8, Section 7.3], as well as all others that we have 
seen, are misleading, for they assume the hash function is regular, meaning all 
points in the range have the same number of pre-images under h.^ It turns out 
that if h is not regular, it takes fewer than trials to find a collision, meaning 
the birthday attack would succeed sooner than expected. 

This could be dangerous, for we do not know that popular hash functions are 
regular. In fact they are usually designed to have “random” behavior and thus 
would not be regular. Yet, one might say, they are probably “almost” regular. 
But what exactly does this mean, and how does the “amount of regularity” affect 
the number of trials to success in the birthday attack? Having answers to such 
questions will enable us to better assess the true impact of birthday attacks. 

This paper. To help answer questions such as those posed above, this paper 
begins by introducing a measure of the “amount of regularity” that we call the 
halanee of a hash function. This is a real number between 0 and 1, with balance 1 
indicating that the hash function is regular and balance 0 that it is a constant 
function, meaning as irregular as can be. We then provide quantitative estimates 
of the success-rate, and number of trials to success, of the birthday attack, as a 
function of the balance of the hash function being attacked. 

This yields a tool that has a variety of uses, and lends insight into various 
aspects of hash function design and parameter choices. For example, by analyti- 
cally or experimentally estimating the balance of a particular hash function, we 
can tell how quickly the birthday attack on this hash function will succeed. Let 
us now look at all this in more detail. 



The balance measure. View the range R of hash function h: D ^ R as 
consisting of r > 2 points i?i, . . . , Rr- For i = 1, . . . , r we let h~^{Ri) be the 
pre-image of Ri under h, meaning the set of all x € D such that h{x) = Ri, and 
let di = \h~^{Ri)\ be the size of the pre-image of Ri under h. We let d = \D\ be 
the size of the domain. We define the balance of h as 



^l{h) = log,. 



[d\ 



Ur j 



where log,,(-) denotes the logarithm in base r. Proposition 1 says that for any 
hash function h, the balance of /i is a real number in the range from 0 to 1. 
Furthermore, the maximum balance of 1 is achieved when h is regular (meaning 
di = d/r for all i) and the minimum balance of 0 is achieved when ft, is a 
constant function (meaning di = d for some i and dj = 0 for all j yf i). Thus 
regular functions are well-balanced and constant functions are poorly balanced, 
but there are lots of possibilities in between these extremes. 

^ They regard Xi as a ball thrown into bin h{xi) and then apply the standard birthday 
analysis. But the latter assumes each ball is equally likely to land in each bin. If 
Ri, . . . ,Rr denote the range points then the probability that a ball lands in bin Rj 
is \h~^ {Rj)\/d where d — \D\. These values are all the same only if ft is regular. 
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Results. We are interested in the probability C of finding a collision in q trials 
of the birthday attack, and also in the threshold Q, defined as the number of 
trials required for the expected number of collisions to be one. (Alternatively, 
the expected number of trials to find a collision.) Corollary 1 and Theorem 2, 
respectively, say that, up to constant factors,^ 

^ = (0 ■ 0 = ■ (4 

These results indicate that the performance of the birthday attack can be char- 
acterized, quite simply and accurately, via the balance of the hash function h 
being attacked. 

Remarks. Note that when = 1 (meaning, h is regular) then Equation (1) 
says that, up to constant factors, Q = which agrees with the above- 

discussed standard estimate for this case. At the other extreme, when /r(/i) = 0, 
meaning h is a constant function, the attack finds collisions in 0(1) trials so 
Q = 1. The value of the general results of Equation (1) is that they show the 
full spectrum in between the extremes of regular and constant functions. As 
the balance of the hash function drops, the threshold Q of the attack decreases, 
meaning collisions are found faster. For example a birthday attack on a hash 
function of balance fj,{h) = 1/2 will find a collision in about Q = trials, 
which is significantly less than Thus, we now have a way to quantitatively 
assess how irregularity in h impacts the success-rate of the birthday attack. 

We clarify that the attacker does not need to know the balance of the hash 
function in order to mount the attack. (The attack itself remains the birthday 
attack outlined above.) 

Bounds rather than approximate equalities. Corollary 1 provides both 
upper and lower bounds on C that are tight in the sense of being within a 
constant factor (specifically, a factor of four) of each other. (And Theorem 1 does 
even better, but the expressions are a little more complex.) Similarly, Theorem 2 
provides upper and lower bounds on Q that are within a constant factor of each 
other. 

We claim bounds are important. The estimates of how long the birthday 
attack takes to succeed, and the ensuing choices of output-lengths of hash func- 
tions, have been based so far on textbook approximate equality calculations of 
the threshold that are usually upper bounds but not lower bounds on the exact 
value. Yet, from a design perspective, the relevant parameter is actually a lower 
bound on the threshold since otherwise the attack might be doing better than 
we estimate. 

The quality (ie. tightness) of the bounds is also important. Deriving a good 
lower bound on C required significantly more analytical work than merely pro- 
ducing a rough estimate of approximate equality. With regard to Q we remark 
that our upper bound, although within a constant factor of the lower bound, is 
not as tight as would like, and it is an interesting question to improve it. 

This assumes d> 2r and, in the case of C, that q < 
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Impact on output lengths. Suppose we wish to design a hash function h for 
which the birthday attack threshold is trials. A consequence of our results 
above is that we must have meaning must choose the output-length 

of the hash function to be 160//i(/i) bits. Thus to minimize output-length we 
must maximize balance, meaning we would usually want to design hash functions 
that are almost regular (balance close to one). 

The general principle that hash functions should be as close to regular as 
possible is, we believe, well-known as a heuristic. Our results, however, provide a 
way of quantifying the loss in security as a function of deviations from regularity. 

Random hash functions. Designers of hash functions often have as target to 
make the hash function have “random” behavior. Proposition 2 together with 
Equation (1) enable us to estimate the impact of this design principle on birthday 
attacks. As an example, they imply that if ft, is a random hash function with 
d = 2r then the expected probability of a collision in q trials is about 3/2 
times what it would be for a regular function, while the expected threshold is 
about a/ 2/3 times what it would be for a regular function. In particular, random 
functions are worse than regular functions from the point of view of protection 
against birthday attacks, though the difference between random and regular 
functions decrease as the ratio d/r increases. 

Thus, if one wants the best possible protection against both birthday and 
cryptanalytic attacks, one should design a function that is not entirely random 
but random subject to being regular. This is true both of the hash function itself, 
and of the hash function restricted to domains from which the adversary may 
draw points in its attack (eg. a restriction of SHA-1 to all 161-bit strings). This, 
however, may be more difficult than designing a hash function that has entirely 
random behavior, so that the latter remains the design goal, and in this case it 
is useful to have tools like ours that enable designers to estimate the impact of 
deviations from regularity on the birthday attack and fine tune output lengths 
if necessary. 

Does the MD transform preserve balance? Given the above results we 
would like to be building hash functions that have high balance. We look at some 
elements of current design to see how well they reflect this requirement. 

Hash functions like MD5 [7], SHA-1 [6] and RIPEMD-160 [3] are designed 
by applying the Merkle-Damgard (MD) [5,2] transform to an underlying com- 
pression function. Designers could certainly try to ensure that the compression 
function is regular or has high balance, but this turns out not to be enough 
to ensure high balance of the hash function because Proposition 3 shows that 
the MD transform does not preserve regularity or maintain balance. (We give 
an example of a compression function that has balance one, yet the hash func- 
tion resulting from the MD transform applied to this compression function has 
balance zero.) 

Proposition 4 is more positive, showing that regularity not only of the com- 
pression function but also of certain associated functions does suffice to guarantee 
regularity of the hash function. But Proposition 5 notes that if the compression 
and associated functions have even minor deviations from regularity, meaning 
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balance that is high but not equal to one, then the MD transform can amplify 
the imbalance and result in a hash function with very low balance. 

Given that a random compression function has balance close to but not 
equal to one, and we expect practical compression functions to be similar, our 
final conclusion is that we cannot recommend, as a general design principle, 
attempting to ensure high balance of a hash function by only establishing some 
properties of the compression function and hoping the MD transform does the 
rest. 

We stress that none of this implies any weaknesses in specific existing hash 
functions such as those mentioned above. But it does indicate a weakness in the 
MD transform based design principle from the point of view of ensuring high 
balance, and means that if we want to ensure or verify high balance of a hash 
function we might be forced to analyze it directly rather than being able to 
concentrate on the possibly simpler task of analyzing the compression function. 
We turn next to some preliminary experimental work in this vein with SHA-1. 

Experimenting with SHA-1. The hash function SHA-1 was designed with 
the goal that the birthday attack threshold is about trials. As per the above, 
this goal would only be met if the balance of the hash function was close to 
one. More precisely, letting SHA„: {0, 1}” ^ {0, 1}^®° denote the restriction of 
SHA-1 to inputs of length n < 2®^, we would like to know whether SHA„ has 
balance close to one for practical values of n, since otherwise a birthday attack 
on SHA„ will find a collision for SHA-1 in less than 2®® trials. 

The balance of SHA„ is however hard to compute, and even to estimate exper- 
imentally, when n is large. Section 6 however reports on some experiments that 
compute /i(SHA 32 ;ti,,,t 2 ) for small values of where SHAn;^^,,,^^: {0, 1}” ^ 

{0, is the function which returns the ti-th through f 2 -th output bits 

of SHA„. The computed values for ^(SHA 32 ;ti...t 2 ) are extremely close to what 
one would expect from a random function with the same domain and range. To- 
ward estimating the balance of SHA„ for larger values of n. Section 6 reports on 
some experiments on SHA„;j,^,,,i 2 for larger n. Broadly speaking, the experiments 
indicate that these functions have high balance. This can be taken as some indi- 
cation that SHA„ also has high balance, meaning SHA-1 is well-designed from 
the balance point of view. 

Remarks. We clarify that while high balance is a necessary requirement for a 
collision-resistant hash function, it is certainly not sufficient. It is easy to give 
examples of high-balance hash functions for which it easy to find collisions. High 
balance is just one of many design criteria that designers should consider. 

We also clarify that this paper does not uncover any weaknesses, or demon- 
strate improved performance of birthday attacks, on any specific, existing hash 
functions such as those mentioned above. However it provides analytical tools 
that contribute toward the goal of better understanding the security of existing 
hash functions or building new ones, and suggests a need to put more effort 
into estimating the balance of existing hash functions to see whether weaknesses 
exist. 
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2 Notation and Terminology 

If n is a non-negative integer then we let [n] = {1, . . . , n}. If S' is a set then 
|S| denotes its size. We denote by /i: D ^ R & function mapping domain D to 
range R, and throughout the paper we assume that R has size at least two. We 
usually denote |Z?| by d and |i?| by r. A collision for /i is a pair X\,X 2 of points 
in D such that x\ yf X 2 but h{x\) = h{x 2 )- For any y € R we let 

h~^{y) = {x£ D : h{x) =y} . 

We say that h is regular if \h~^{y)\ = d/r for every y € R, where d = \D\ and 
r=\R\. 

3 The Balance Measnre and Its Properties 

We introduce a measure that we call the balance, and establish some of its basic 
properties. 

Definition 1. Let h: D ^ R be a function whose domain D and range R = 
{Ri, . . . , Rr} have sizes d,r > 2, respectively. For i € [r] let di = \h~^{Ri)\ 
denote the size of the pre-image of Ri under h. The balance of h, denoted p.{h), 
is defined as 

where log^(-) denotes the logarithm in base r. | 

It is easy to see that a regular function has balance 1 and a constant function 
has balance 0. The following says that these are the two extremes: In general, 
the balance is a real number that could fall somewhere in the range between 0 
and 1. The proof is based on standard facts and provided in the full version of 
this paper [1] for completeness. 

Proposition 1. Let h be a function. Then 

0 < y-{h) < 1 . (3) 

Furthermore, pt{h) = 0 iff h is a constant function, and y,{h) = 1 iff h is a 
regular function. | 

The following lemma, which we prove in [1], will be useful later. 

Lemma 1. Let h: D ^ R be a function. Let d = \D\ and r = |i?| and assume 
d> r >2. Then 

j.-v(h) _ 1 > _ r.'i . 

d ~ \ dJ 

where pi{h) is the balance of h as per Definition 1. | 



(4) 
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For i = 1, . . . , q do / <7 is the number of trials 
Pick Xi at random from the domain of h 
yi ^ h{xi) H Hash Xi to get yi 
If there exists j < i such that yi = yj but Xi ^ xj then 
return Xi,xj / collision found 
Endlf 
EndFor 

Return _L / No collision found 

Fig. 1. Birthday attack on a hash function h: D ^ R. The attack is successful 
in finding a collision if it does not return _L. We call q the number of trials. 



4 Balance-Based Analysis of the Birthday Attack 



The attack is presented in Figure 1. (Note that it picks the points xi,...,Xq 
independently at random, rather than picking them at random subject to being 
distinct as in some variants of the attack [8]. The difference in performance is 
negligible as long as the domain is larger than the range.) 

We are interested in two quantities: the probability C of finding a collision in 
a given number q of trials, and the threshold Q, defined as the expected number 
of trials to get a collision. Both will be estimated in terms of the balance of 
the hash function being attacked. Note that although Q is a simpler metric it 
is less informative than C since the latter shows how the success-rate of the 
attack grows with the number of trials. We begin with Theorem 1 below, which 
gives both upper and lower bounds on C that are within constant factors of each 
other. The proof of Theorem 1 is in Section 4.1 below. 



Theorem 1. Let h: D ^ R be a hash function. Let d = \D\ and r = |i?| and 
assume d > r > 2. Let C denote the probability of finding a collision for h in 
q >2 trials of the birthday attack of Figure 1. Let ii{h) be the balance of h as 
per Definition 1. Then 



C < 




(5) 



Additionally, if a is any real number, we have 

1 : a 

4 





1 


1' 


/ V2j 







< C 



(6) 



under the assumption that 

q < « • 



The above may be a bit hard to interpret. The following, which simply picks 
a particular value for the parameter a and applies the above, may be easier to 
understand. It provides upper and lower bounds on C that are within a factor 
of four of each other assuming q = The proof of Corollary 1 is in [1]. 
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Corollary 1. Let h: D ^ R be a hash function. Let d = \D\ and r = |i?| and 
assume c? > 2r > 4. Let C denote the probability of finding a collision for h in 
q >2 trials of the birthday attack of Figure 1. Let ii{h) be the balance of h as 
per Definition 1. Then 

Additionally, 

under the assumption that q < (1/5) • | 

As we mentioned before, we believe it is important to have close upper and lower 
bounds rather than approximate equalities when it comes to computing the suc- 
cess rate of attacks since we are making very specific choices of parameters, such 
as hash function output lengths, based on these estimates, and if our estimates 
of the success rates are not specific too we might choose parameters incorrectly. 

Remark 1. The lower bound in Equation (9) is only valid when 2 < q < (1/5) • 
j-u{h )/2 ^ The upper bound on q here is not particularly restrictive since we know 
that as q approaches the probability C gets close to 1. However, note that 

we are implicitly assuming 2 < (1/5) • , meaning we are assuming a lower 

bound on p,{h). However the result only excludes functions of tiny balance. | 

Next, we show that the threshold is Again, we provide explicit upper 

and lower bounds that are within a constant factor of each other. The proof of 
Theorem 2 is in Section 4.2. 

Theorem 2. Let h: D ^ R be a hash function. Let d = \D\ and r = |i?| and 
assume d > 2r > 4. Let Q denote the threshold, meaning the expected number 
of trials, in the birthday attack of Figure 1, to get a collision. Let p.{h) be the 
balance of h as per Definition 1 and assume {{Vl — 2)/3) • > 2. Then 

(1/2) < g < 72 t^W/2 I 

Designers of hash functions often have as target to make the hash function have 
“random” behavior. We now state a result which will enable us to gage how well 
random functions fare against the birthday attack. (Consequences are discussed 
after the statement). Proposition 2 below says that if h is chosen at random 
then the expectation of is more than 1/r (what it would be for a regular 

function) by a factor equal to about 1 -I- r/d. The proof of Proposition 2 is in 
the full version of this paper [1]. 

Proposition 2. Let D,R be sets of sizes d,r respectively, where d>r >2. Lf 
we choose a function h: D ^ R at random then 





Hash Function Balance and Its Impact on Birthday Attacks 409 



As an example, suppose d = 2r. Then the above implies that if h is chosen at 
random then 



E 




3 1 
2 ' r ■ 



As per Theorem 1 and Theorem 2 this means that if h is chosen at random then 
the probability of finding a collision in q trials is expected to rise to about 3/2 
times what it would be for a regular function, while the threshold is expected 
to fall to about i/2/3 times what it would be for a regular function. Although 
the difference in the efficacy of birthday attacks against regular and random 
functions becomes less as d/r increases, the above example with d = 2r sug- 
gests that although hash functions are often designed to be “random” , in terms 
of resistance to birthday attacks a more desirable goal is to have randomness 
subject to regularity. This also applies to all restrictions of the hash function 
to domains from which an adversary may draw during a birthday attack (eg. 
SHA-1 restricted to 161-bit inputs). 



4.1 Proof of Theorem 1 

We let [q ]2 denote the set of all two-element subsets of [g]. Recall that the 
attack picks xi, . . . , at random from the domain D of the hash function. We 
associated to any two-element set I = {z, j} G [g ]2 the random variable Xj which 
takes value 1 if Xi,xj form a collision (meaning Xi yf Xj and h{xi) = h{xj)), and 
0 otherwise. We let 



^ = E 






Xi . 



The random variable X is the number of collisions. (We clarify that in this 
manner of counting the number of collisions, if n distinct points have the same 
hash value, they contribute n(n — l)/2 toward the value of X.) For any / G [g ]2 
we have 



E[Xj] = Pr[X, = l] = 

i—1 



E 

i=l 






E di 
i—1 



By linearity of expectation we have 



Let 



E[X] = E[^/] 

■f6[9]2 




d 

( 11 ) 

(12) 



P 




The upper bound of Theorem 1 is a simple application of Markov’s inequality 
and Equation (12): 



Pr[C] = Pr[X>l] < M = Q .p. 
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We proceed to the lower bound. Let [q] 2,2 denote the set of all two-elements 
subsets of [q] 2 - Via the inclusion-exclusion principle we have 

Pr[C]=Pr[v,,[,]3 V, = l' 

>^Pr[X/ = l]- ^ Pr[X/ = lAXj = l], (13) 

i&kh {/.J}e[g]2,2 

Equation (12) tells us that the first sum above is 

^ Pr[X, = l] = ^ E[Xi] = E[X] = (jYp. (14) 

/e[9]2 /e[9]2 ^ ^ 

We now claim that 

^ Pr[Xi = lAXj = l] < [Y + aYfY-p. (15) 

{LJ}6[9]2,2 ^ / V / 

This completes the proof because from Equations (13), (14) and (15) we obtain 
Equation (6) as follows: 




It remains to prove Equation (15). 

Let E be the set of all {/, J} G [qh .2 such that / n J = 0, and let N be the 
set of all {/, J} G [q] 2,2 such that / n J yf 0. Then 



^ Pr[X/ = lAVj = l] 
U,J}&lqh.2 



Pr[V/ = lAXj = 1] 

{i,J}eE 



Pr[V/ = lAVj = l] 

{i,J}eN 



(16) 



Se 



Sn 



We now claim that 




Sn < 




■a-p , 



(17) 

(18) 



Equation (15) follows from Equations (16), (17) and (18). We now prove Equa- 
tions (17) and (18). 
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To upper bound we note that if {/, J} G if then the random variables 
Xj and Xj are independent. Using Equation (11) we get 

Se= Y. Pr[^/ = lAXj = l] 

{I,J}£E 

= Y Pr[Af/ = l]-Pr[Xj = l] = |U|-p2. 

{I,J}£E 



Computing the size of the set E and simplifying, we get 



Se = \ 



q-2 

2 



= 



- 5g + 6 



We now upper bound this as follows: 
Se < 



2 P ^ 

■p.q < 



4 - 4 



■P ■ 



■P ■ 



Above the first inequality is true because Theorem 1 assumes q> 2. The second 
inequality is true because of the assumption made in Equation (7). The third 
inequality is true because . p < 1. We have now obtained Equation (17). 

The remaining task is to upper bound Sn- The difficulty here is that for 
{/, J} & N the random variables Xj and Xj are not independent. We let di = 
\h~^{Ri)\ for i G [r] where R = {Ri, . . . , Rr} is the range of the hash function. 
If {/, J} G fV then the two-elements sets / and J intersect in exactly one point. 
(They cannot be equal since I, J are assumed distinct.) Accordingly we have 



Sn= Y Pr[Af/ = lAXj = l] 

{i,J}eN 



= i^i-E 



di{di - 1)^ 



< 









(19) 



We now compute the size of the set N: 



|fV| = 







■{q-2). 



Putting this together with Equation (19) we have 



Sn < 




— • y"’' d^ 



( 20 ) 



To upper bound the sum of Equation (20), we view d\, ... ,dr as variables and 
consider the problem of maximizing df + ■ ■ ■ + d^ subject to the constraint 
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X)i=i • r The maximum occurs when di = d ■ r and 

di = 0 for i = 2, . . . , r, meaning that 

Returning to Equation (20) with this information we get 

We now use the assumption made in Equation (7), and finally use Lemma 1, to 
get 




This proves Equation (18) and thus concludes the proof of Theorem 1. 

4.2 Proof of Theorem 2 

We begin by proving the lower bound. Let the random variable Y denote the 
number of trials to collision. Let C{q) denote the probability of finding a collision 
for ft, in <7 > 2 trials of the birthday attack in Figure 1, and let D{q) denote the 
probability of finding the first collision on the g-th trial. Let Q = From 

the definition of Y : 

OO OO 

E[F] = > Q- J^D(x) = Q-(1-C(Q-1)) . 

x—1 x—Q 

We claim that 

C(Q-l)<i. (21) 

It follows that 

E[T] > Q-(l/2) > (1/2) ^ 

as desired. We now justify Equation (21). From Equation (8) of Corollary 1 we 
know that 

C(O-I) < = y((0-E-«3-i))^;:/i;T. 

Since Q = > 2 by assumption, 

(g-i)^-(g-i) = g"-3-g + 2 < g^ = 

and 

as desired 
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For the upper bound, we must be careful since there is an upper restrictions 
on q in Equation (9) and Equation (6). Fix a = {2\/7 — 4)/3 and q = («/2) • 
First note that 



2 - \ dJ 



since we assume that d>2r and therefore that 1 — r/d > 1/2. This means that 
we can use Theorem 1 with a and q defined as above. Combining Theorem 1 
with Lemma 1 and the assumptions that d>2r and q = (a/2) • > 2, we 

have 



C{q) > (^1 - Y 




1 1 
2 



> 




1 



Replacing q with (a/2) • we get 



C(g) > 




> 8 



1 




(22) 



Now consider the following experiment that repeatedly runs the birthday attack, 
using q = (a/2) • trials, until a collision is found: 



For j = 1, 2, ... do 
For i= 1, . . . , <7 do 

Pick at random from the domain of h 

If there exists k such that q{j — 1) < k < q{j — 1) + i 
and = yk but yf Xk then 

return aife / collision found in this block of q trials 

Endlf 
EndFor 
EndFor 



Let the random variable A denote the number of trials to success in the above 
experiment. We claim that 



and 



E[Y] < E[A] 

q 



E[A] < 



C{q) 



and combining with Equation (22), it follows that 
q ^ ip-/2) ■ 



E[Y] < 



< 



C{q) - (l/32)-(a2-(a4/4)-a3) 



< 72 • r^ddl2 ^ 



giving the upper bound in the theorem statement. 



(23) 

(24) 
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To prove Equation (23) it is sufficient to note that, for any random tape T, 

Y{T) < A{T) 

since any collision in the above experiment is immediately a collision for the 
birthday attack in Figure 1. 

To prove Equation (24), consider each inner loop of the above experiment an 
independent Bernoulli trial, and let Z denote the expected number of Bernoulli 
trials (inner loop executions) to collision. Since each inner loop has a success 
probability C{q), standard results tell us that 

(25) 

Let F{i) denote the probability that the first collision in the above experiment 
occurs on the z-th trial. Let G{j) denote the probability that the first collision 
is found in the j-th execution of the inner loop in the above experiment. Then 

OO 

E[^]=^z-E(z) 

OO q 

= ■ {j - 1) + i) ■ F {q ■ {j - 1) + i) 

j=i i=i 

OO / q 

- ® (9 • (j - 1) + f) 

i=i V i=i 

Since, by the definition of G(j), for any j > 1 

^E(g.(j-l) + z) = G{j) , 

it follows that 

OO 

E[A] < q-Y^j-Gij) = q-E[Z]. (26) 

i=i 

Combining Equation (25) with Equation (26) yields Equation (24), completing 
the proof. 



5 Does the MD Transform Preserve Balance? 

We consider the following popular paradigm for the construction of hash func- 
tions. First build a compression function H: {0, ^ {0, 1}'^, where 6 > 1 is 
called the hlock-length and c > 1 is called the chaining-length. Then transform 
F[ into a hash function H: Db ^ {0, 1}'^, where 

Db = { M G {0, 1}* : \M\ = nb for some 1 < n < 2^ } , 
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Function H{M) 

Break M into b-bit blocks Mi || • • • ||M„ 

M„+i <— {n)b ; Co <— 

For i = 1, . . . , n + 1 do Ci ^ H{Mi\\Ci-i) EndFor 
Return C„+i 



Fig. 2. Hash function H: Dt {0, 1}'^ obtained via the MD transform applied 
to compression function H: {0, 1}*'+'^ ^ {0, 1}'^. 



via the Merkle-Damgard (MD) [5,2] transform depicted in Figure 2. (In this 
description and below, we let {i)b denote the representation of integer i as a 
string of length exactly b bits for t = 0, . . . , 2^ — 1.) In particular, modulo details, 
this is the paradigm used in the design of popular hash functions including MD5 
[7], SHA-l [6] and RIPEMD-160 [3]. _ 

For the considerations in this section, we will focus on the restriction of H 
to strings of some particular length. For any integer 1 < n < 2** (the number 
of blocks) we let i7„: Db^n {0, 1}° denote the restriction of H to the domain 
Db^n, defined as the set of all strings in Db that have length exactly nb bits. 

Our results lead us to desire that has high balance for all practical values 
of n. Designers could certainly try to ensure that the compression function is 
regular or has high balance, but to be assured that has high balance it would 
need to be the case that the MD transform is “balance preserving.” Unfortu- 
nately, the following shows that this is not true. It presents an example of a 
compression function H which has high balance (in fact is regular, with balance 
one) but has low balance (in fact, balance zero) even for n = 2. 

Proposition 3. Let b, c be positive integers. There exists a compression function 
H: {0, 1}*'+'^ ^ {0, 1}'^ such that H is regular (p.{H) = 1) but H 2 is a constant 
function (p,{H 2 ) = OJ. | 

Proof (Proposition 3). Let H\ {0, 1}*'+^ ^ {0, 1}° map B\\C to C for all 6-bit 
strings B and c-bit strings C. Clearly /i(i7) = 1 since each point in {0, 1}'^ 
has exactly 2^ pre-images under H . Because the initial vector (IV) in the MD 
transform is the constant Co = 0°, and by the definition of i7, the function H 2 
maps all inputs to 0'^. □ 

This example might be viewed as contrived particularly because the compres- 
sion function H above is not collision-resistant (although it is very resistant to 
birthday attacks), but in fact it still serves to illustrate an important point. The 
popularity of the MD paradigm arises from the fact that it provably preserves 
collision-resistance [5,2]. However, the above shows that it does not provably 
preserve balance. Even though Proposition 3 does not say that the transform 
will always be poor at preserving balance, it says that we cannot count on the 
transform to preserve balance in general. This means that simply ensuring high 
balance of the compression function is not a suitable general design principle. 
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(We also remark that there exist adversaries capable of finding collisions for 
any unkeyed compression function, including the compression functions in MD5, 
SHA-1, and RIPEMD-160, using exactly two trials. We just do not know what 
these adversaries are.) 

Is there any other design principle whereby some properties of the compres- 
sion function suffice to ensure high balance of the hash function? Toward finding 
one we note that the behavior exhibited by the function i /2 in the proof of 
Proposition 3 arose because the initial vector (IV) of the MD transform was 
Co = 0'^, and although H was regular, the restriction of H to inputs having 
the last c bits 0 was not regular, and in fact was constant. Accordingly we 
consider requiring regularity conditions not just on the compression function 
but on certain related functions as well. If H: {0, ^ {0,1}° then define 

Hq: {0,1}*' ^ {0,1}° via M i/(M||0°) for all M G {0,1}*’, and for n > 1 
define {0, 1}° ^ {0, 1}° via M i— > H({n)b\\M) for all M G {0, 1}°. The fol- 
lowing shows that if H,Ho,Hn are all regular, meaning have balance one, then 
Hn is also regular. 

Proposition 4. Let b,c,n be positive integers. Let H: {0,1}*’+° ^ {0,1}° and 
let Ho,Hn be as above. Assume H, Hq, and Hn are all regular. Then Hn is 
regular. | 

Proof (Proposition 4)- The computation of Hn can be written as 
Function Hn{M) 

Break M into 6-bit blocks Mi\\ ■ ■ ■ ||M„ ; C\ ^ Ho{Mi) 

For t = 2, . . . , n do Ci ^ H{Mi\\Ci-i) FndFor 
Cn+i ^ Hn{Cn) ) Return Cn-\-i 

It is not hard to check that the assumed regularity of Hq,H and Hn imply the 
regularity of Hn. □ 

Unfortunately Proposition 4 is not “robust.” Although has balance one 
if H,Ho,Hn have balance one, it turns out that if H,Ho,Hn have balance 
that is high but not quite one, we are not assured that Hn has high balance. 
Proposition 5 shows that even a slight deviation from the maximum balance of 
one in H,Ho,Hn can be amplified, and result in Hn having very low balance. 
The proof of the following is in the full version of this paper [1]. 

Proposition 5. Let 6, c be integers, b > c > 2, and let n > c. Then there 
exists a eompression function H: {0, 1}**+° ^ {0, 1}° such that p.{H) > 1 — 1/c, 
/r(i^o) = 1; and pi{Hn) > 1 — 2/c, but pi{Hn) < 1/c, where the functions Hq, Hn 
are defined as above. | 

As indicated by Proposition 2, a random compression function will have expected 
balance that is high but not quite 1. We expect that practical compression func- 
tions are in the same boat. Furthermore it seems harder to build compression 
functions that have balance exactly one than close to one. So the lack of robust- 
ness of Proposition 4, as exhibited by Proposition 5, means that Proposition 4 
is of limited use. 
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The consequence of the results in this section is that we are unable to rec- 
ommend any design principle that, to ensure high balance, focuses solely on 
establishing properties of the compression function. It seems one is forced to 
look directly at the hash function. We endeavor next to do this for SHA-1. 



6 Experiments on SHA-1 

Let SHA„: {0,1}" ^ {0,1}^®° denote the restriction of SHA-1 to inputs of 
length n < 2®^. Because SHA-l’s range is (0, 1}^®®, it is commonly believed 
that the expected number of trials necessary to find a collision for SHA„ is 
approximately 2®®. As Theorem 2 shows, however, this is only true if the balance 
of SHA„ is one or close to one for all practical values of n . If the balance is not 
close to one, then we expect to be able to find collisions using less work. It 
therefore seems desirable to calculate (or approximate) the balance of SHA„ for 
reasonable values of n (eg. n = 256). A direct computation of /i(SHA„) based 
on Definition 1 is however infeasible given the size of the domain and range of 
SHA„. Accordingly we focus on a more achievable goal. We look at properties of 
SHA„ that one can reasonably test and whose absence might indicate that SHA„ 
does not have high balance. Our experiments are not meant to be exhaustive, 
but rather representative of the types of feasible experiments one can perform 
with SHA-1. 

Let SHA„;tj...t 2 : {0,1}” ^ {0, l}*^“‘i+^ denote the function that returns 
the ti-th through t 2 -th output bits of SHA„. We ask what exactly is the balance 
of SHA 32 ;ti,,,t 2 when t2 — ti + 1 G {8, 16, 24}. And we ask whether the functions 
SHAm;q...t 2 , m G {160,256,1024,2048}, appear regular when t2 — ti + 1 G 
{8, 16, 24}. (Note that SHA 256 is SHA-1 restricted to the domain {0, 1}^®®, not 
NIST’s SHA-256 hash algorithm.) 

Balance of SHA 32 ;ti...t 2 - We calculate the balance of SHA 32 ;ti...t 2 for all pairs 
ti, ^2 such that t 2 — ti + lG {8, 16, 24} and t\ begins on a byte boundary (ie. we 
look at all 1-, 2-, and 3-byte portions of the SHA-1 output). The calculated values 
of ^(SHA 32 ;ti,,,t 2 ) appear in the full version of this paper [1]. Characteristic 
values are ir(SHA 32 ;i,,, 8 ) = 0.99999998893, /r(SHA 32 ;i...i 6 ) = 0.999998623 and 
/r(SHA 32 ;i... 24 ) = 0.99976567, indicating that, for the specified values of ti,t 2 , 
the balance of SHA 32 ;ti,,,t 2 is high. 

These results do not imply that the functions SHA„; ti...t 2 or SHA„, n > 32 
and t\,t 2 as before, are regular. But it is encouraging that /i(SHA 32 ;ti...t 2 ) are 
high, and in fact very close to what one would expect from a random function 
(cf. Proposition 2), since a small value for ^(SHA 32 ;ti,,,t 2 ) for any of the specified 
ti,t 2 pairs might indicate some unusual property of the SHA-1 hash function. 

Experiments on SHAieo, SHA 256 , SHA 1024 , and SHA204s- Let n G {160, 
256,1024,2048}. Although we cannot calculate the balance of SHA„, we can 
compare the behavior of SHA„;i^,,.i 2 , t 2 ~ti + lG {8, 16, 24}, on random inputs 
to what one would expect from a regular or random function. There are several 
possible approaches to take. Knowing that the balance of SHA„;i^...t 2 directly 
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affects the expected number of trials to collision, the approach we take is to 
compute the average, over 10000 runs, of the number of trials to collision in a 
birthday attack against . 

If the average number of trials to collision against on random bits 

is approximately the same as what one would expect from a regular function, 
it would support the view that SHA„ has high balance. However, a significant 
difference between the results for SHA„;tj,,,i 2 on random inputs and what one 
would expect from a regular function might indicate some unusual behavior 
with SHA-1, and this unusual behavior would deserve further investigation. Our 
experimental results are consistent with SHA„ having high balance. However, we 
again point out that these tests were only designed to uncover gross anomalies 
and are not exhaustive. Details are in [1]. 
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Abstract. It is well-known that n players connected only by pairwise 
secure channels can achieve multi-party computation secure against an 
active adversary if and only if 

— t < n/2 of the players are corrupted with respect to computational 
security, or 

— t < n/3 of the players are corrupted with respect to unconditional 
security. 

In this paper we examine to what extent it is possible to achieve condi- 
tional (such as computational) security based on a given intractability 
assumption with respect to some number T of corrupted players while 
simultaneously achieving unconditional security with respect to a smaller 
threshold t < T. In such a model, given that the intractability assump- 
tion cannot be broken by the adversary, the protocol is secure against T 
corrupted players. But even if it is able to break it, the adversary is still 
required to corrupt more than t players in order to make the protocol 
fail. 

For an even more general model involving three different thresholds tp, 
ta, and T, we give tight bounds for the achievability of multi-party com- 
putation. As one particular implication of this general result, we show 
that multi-party computation computationally secure against T < n/2 
actively corrupted players (which is optimal) can additionally guarantee 
unconditional security against t < n/4 actively corrupted players “for 
free.” 

Keywords: Broadcast, computational security, multi-party computa- 
tion, unconditional security. 



1 Introduction 

Secure distributed cooperation among mutually distrusting players can be achiev- 
ed by means of general multi-party computation (MFC). Typically, the goal of 
such a cooperation consists of jointly computing a function on the players’ in- 
puts in a way that guarantees correctness of the computation result while keeping 
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the players’ inputs private — even if some of the players are corrupted by an 
adversary. 

Different models for MFC have been proposed in the literature with respect 
to communication, corruption flavor, and adversarial power. In this paper, we 
restrict our view to the following parameters. 

Communication: We exclusively consider synchronous networks meaning 
that, informally speaking, the players are synchronized to common communica- 
tion rounds with the guarantee that a sent message will be delivered still during 
the same communication round. 

Corruption: We assume a central threshold adversary with respect to a 
given, fixed threshold t, meaning that it can select up to arbitrary t out of the 
n players and corrupt them (meaning to take control over them). Such a player 
is then said to be corrupted whereas a non-corrupted player is called correct. An 
active adversary {active corruption) corrupts players by making them deviate 
from the protocol in an arbitrarily malicious way. 

Security: A protocol achieves unconditional security if even a computa- 
tionally unbounded adversary cannot make the protocol fail — except for some 
negligible error probability. A protocol achieves computational security if an ad- 
versary restricted to probabilistic polynomial time computations cannot make 
the protocol fail except for some negligible error probability. In this paper, we 
consider both kinds of security. 

1.1 Previous Work 

The MFC problem was first stated by Yao [Yao82]. Goldreich, Micali, and 
Wigderson [GMW87] gave the first complete solution to the problem with re- 
spect to computational security. For the model with a passive adversary (passive 
model, for short), and given pairwise communication channels, they gave an ef- 
ficient protocol that tolerates any number of corrupted players, t < n. For the 
model with an active adversary (active model), and given both pairwise and 
broadcast channels, they gave an efficient protocol that tolerates any faulty mi- 
nority, t < nj2, which is optimal in the sense that no protocol exists for t > nj2. 
Note that when not demanding security to the full extent, computationally se- 
cure MFG is also achievable in presence of an active adversary that corrupts 
t > n/2 players [GMW87, GHY87, BG89, GL90, FGH+02, GL02, FHHW03]. 
However, in this case, robustness cannot be guaranteed, i.e., it can not be guar- 
anteed that every player receives a result [Gle86] . 

With respect to unconditional security, Ben-Or, Goldwasser, and Wigder- 
son [BGW88], and independently, Ghaum, Grepeau, and Damgard [GGD88] gave 
efficient protocols for the passive model that tolerate t < nj2 and protocols for 
the active model that tolerate t < n/3 — assuming only pairwise communi- 
cation channels in both cases. Both bounds are tight. Beaver [Bea89], Rabin, 
and Ben-Or [RB89] considered the active model when given both pairwise and 
broadcast channels among the players. They gave efficient protocols that achieve 
unconditional security for t < nj2 which is optimal. A more efficient protocol 
for this model was given by Gramer et al. [GDD+99]. 
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With lack of better knowledge, protocols with computational security must 
be based on unproven intractability assumptions, i.e., they must build up on 
cryptographic primitives such as trapdoor permutations that are not known to 
exist. Furthermore, even if such primitives existed, the particular choice of a 
candidate implementation of such a primitive might be a bad one. 

In order to prevent complete failure in these cases, Chaum [Cha89] consid- 
ered a “hybrid” security model for MFC that achieves computational security for 
some large threshold T but, at the same time, unconditional security for some 
smaller threshold t < T — meaning that, in order to make the protocol fail, 
the adversary must either corrupt more than T players, or corrupt more than 
t players but additionally be able to break the underlying computational hard- 
ness assumption. In the passive model, given pairwise communication channels, 
Chaum’s protocol achieves computational security with respect toT < n and un- 
conditional security with respect to t < nj2. Thus, this protocol simultaneously 
achieves the optimal bounds for computational and unconditional security. 

In the active model, given pairwise and broadcast channels, his protocol 
achieves computational security with respect to T < n/2 and additionally pro- 
vides unconditional privacy for all players’ inputs as long as up to t < n/3 players 
are corrupted. Note that the later results in [Bea89, RB89, CDD+99] strictly im- 
ply this result: unconditional security for t < n/2 when assuming broadcast."^ In 
[WP89] , the same “hybrid” model was considered with respect to the simulation 
of broadcast when given only pairwise communication channels. 



1.2 Multi-party Computation beyond t < n/3 without Broadcast 

The active model for MFC tolerating at least n/3 corrupted players typically 
assumes broadcast channels [GMW87, Bea89, RB89]. This is a very strong as- 
sumption and might not always be appropriate. Rather, broadcast has to be 
simulated by the players using the bilateral channels. But, without further as- 
sumptions, this simulation is only possible if t < n/3 [LSP82, DFF+82]. 

The only known way to allow for the simulation of broadcast beyond t < n/3 
is to use digital signatures [LSP82]. However, it is important to note that digital 
signatures by themselves are not enough. It must be additionally guaranteed 
that all correct players verify each player’s signatures in the same way, i.e., 
that all players hold the same list of public keys. Otherwise, the transfer of a 
signature would not be conclusive. We call such a setup a consistent public- 
key infrastructure (PKI). Such a PKI allows to efficiently simulate broadcast 
among the players secure against any number of corrupted players, t < n [DS82]. 
Not only can a PKI be based on a computationally secure digital signature 
scheme but also on unconditionally secure pseudo-signatures [PW96] and thus 
allowing for the simulation of unconditionally secure broadcast. Thus the results 

Note that Chaum’s protocol still completely relies on cryptography since the pro- 
tocol’s correctness is only protected by cryptographic means, i.e., by breaking the 
cryptographic assumption the adversary can make the protocol fail by only corrupt- 
ing one single player. 
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in [GMW87, Bea89, RB89] are equally achievable without broadcast channels 
but with an appropriate PKI to be set up among the players — computationally 
secure for [GMW87] and unconditionally secure for the other cases. 

We believe that assuming a PKI is more realistic than assuming broadcast 
channels among the players and thus follow this model. 

It should be noted, though, that the use of unconditional pseudo-signatures is 
not very practical. The cost of broadcasting a single bit based on (computational) 
digital signatures is t-l-1 communication rounds and 0{n^ s) bits to be sent by all 
players during the protocol overall — where s is the size of a signature [DS83]. 
The cost of broadcasting a bit using unconditional pseudo-signatures is 
rounds and bits to be sent overall [PW96] — which is still polynomial 

but nevertheless quite impractical.® 



1.3 Contributions 

Typical ways of setting up a PKI are to run a setup protocol among the players 
or to involve trust management over the Internet such as, e.g., the one in PGP. 
Evidently, both methods can fail to achieve a consistent PKI, namely, when 
to many players are corrupted, or, respectively, when the trust management 
is built on wrong assumptions. Thus, analogously to relying on computational 
security, relying on the consistency of a previously set-up PKI also imposes a 
potential security threat since the adversary might have been able to make the 
PKI inconsistent. 

This raises the natural question of whether MPG relying on the consistency 
of a PKI and/or the security of a particular signature scheme can additionally 
guarantee unconditional security for the case where only a small number of 
the players are corrupted. Thus, in this paper, we extend the considerations 
in [Gha89] (regarding the active model) to the case where not only the adversary 
might be able to break the underlying hardness assumption but where also the 
PKI might be inconsistent. 

In particular, we consider the following model for hybrid MFC involving three 
thresholds tp, ta, and T, where tp,ta < T with the following properties (see also 
Figure 1). 

— If at most / < min(tp,to.) players are corrupted then we demand uncondi- 
tional security. 

— li f > tp then we assume that the PKI is consistent, i.e., for tp < f < T the 
computation is only as secure as the PKI. 

— If f > to- then we assume that the adversary cannot forge signatures (except 
for some non-negligible probability), i.e., for t„ < f <T the computation is 
only as secure as the underlying signature scheme. 



® Note that there is also a (t -I- l)-round variant with an overall bit complexity of ap- 
proximately 6>(n®). However, this variant is only a one-time signature scheme which 
basically means that the PKI only allows for a very limited number of signatures to 
be issued. 



Multi-party Computation with Hybrid Security 423 



/ players corrupted 


Security 


/ < mm{tp,ta) 


unconditional 


f <U Atp < f <T 


as secure as PKI, independent of signature scheme 


f <tp Me < f <T 


as secure as signature scheme, independent of PKI 


tp,ta < f <T 


as secure as PKI and signature scheme together 



Fig. 1. Threshold conditions for hybrid MFC. 



Or, in other words, if / < tp then the protocol must be secure even if the 
PKI is inconsistent, and, if / < to- then the protocol must be secure even if 
the adversary is able to forge signatures. Thus, in order to make such a hybrid 
protocol fail with non-negligible probability, the adversary would have to corrupt 
more than / = min(tp, ta) players and; having made for a bad PKI if / > tp, or 
be able to forge signatures if / > 

Result. We show that hybrid MPC is achievable if and only if 

(2T -I- tp < n) A {T + 2t^<n) (1) 

implying that, without loss of generality, we can always assume that tp < < 

T.® See Figure 2 for a graphical representation of the tight bound. Achievability 
for all cases will be demonstrated by efficient protocols that neither rely on any 
particular signature scheme nor on any particular way of setting up a PKI. 

As an interesting special case, the optimal result of [GMW87] (assuming a 
consistent PKI instead of broadcast — allowing to drop parameter tp since the 
consistency of the PKI is granted) computationally secure against T < n/2 cor- 
rupted players additionally allows to guarantee unconditional security against 
ta < u/4 corrupted players “for free.” On the other hand, when requiring opti- 
mality with respect to unconditional security, = [(n — 1)/3J, then practically 
no higher computational bound T can be simultaneously tolerated on top. 

Finally, when basing the PKI on an unconditional pseudo-signature scheme 
(which is not our focus), forgery becomes impossible by definition and the tight 
bound collapses to 2T -|- tp < n. 

Constructions. Our final MPC protocol is obtained by simulating broadcast in 
the unconditional MPC protocol of [CDD+99]. Thus the main technical contri- 
bution in this paper is to simulate broadcast (aka Byzantine agreement) in the 
given models with respect to the required security aspects. The (efficient) proto- 
col in [CDD+99] is unconditionally secure against t < n/2 corrupted players. So, 
obviously, the final MPC protocol wherein broadcast is simulated is as secure as 
the given broadcast protocol. 



That is, additional forgery gives the adversary no additional power when the PKI is 
inconsistent. 
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2 Definitions and Notations 

2.1 Multi-party Computation 

In MFC a set of players want to distributedly evaluate some agreed function(s) 
on their inputs in a way preserving privacy of their inputs and correctness of the 
computed result. More precisely, in an MFC among a player set P with respect 
to a collection of functions (/i, . . . , /„), every player Pi € P holds a secret input 
(vector) Xi and secretly receives an output (vector) yi = . . . ,x„). 

From a qualitative point of view, the security of MFC is often broken down 
to the conditions “privacy”, “correctness”, “robustness”, and “fairness”, and 
ideally, a protocol should satisfy all these properties. 

Frivacy. a protocol achieves privacy if the adversary cannot learn more about 
the correct players’ inputs than given by the inputs and outputs of the 
corrupted players. 

Correctness. A protocol achieves correctness if the correct players’ outputs 
are indeed computed as defined by the functions fi. 

Robustness. A protocol achieves robustness if every correct player finally re- 
ceives his outputs. 

Fairness. A protocol achieves fairness if the adversary gets no information 
about the correct players’ inputs in case that robustness is not achieved. 

More formally, MFC is modeled by an ideal process involving a mutually 
trusted party r where the players secretly hand their inputs to r, followed by 
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r computing the players’ outputs and secretly handing them back to the corre- 
sponding players [Bea91, CanOO, GolOl]. This model is referred to as the ideal 
model The goal of MFC is now to achieve the same functionality in the so-called 
real model where there is no such trusted party such that an adversary gets no 
advantage compared to an execution of the ideal protocol. An MFC protocol is 
defined to be secure if, for every adversary A in the protocol, there is an adver- 
sary S in the ideal model that, with similar costs, achieves (essentially) the same 
output distribution as the adversary in the protocol [Bea91, CanOO, GolOl]. 



2.2 Broadcast 

Broadcast is the special case of an MFC. In broadcast, one player ps is given an 
initial value which everybody is required to receive. The definition is as follows: 

Definition 1 (Broadcast). A protocol among n players, where player Ps € P 
( called the sender^ holds an input value Xg and every player pi (i ^ {1, . . . ,n\) 
computes an output value yi, achieves broadcast if it satisfies: 

— Validity: If the sender is correct then all correct players pi compute output 

Vr=Xs. 

— Consistency: All correct players compute the same output value y. 

Often, it is also added to the definition that the protocol is always required 
to terminate. We will not mention this property explicitly since termination is 
obvious for our protocols. 

Note that broadcast for any finite domain easily reduces to binary broadcast 
(where the sender sends a value from {0, 1}) as, e.g., shown by Turpin and 
Coan [TC84]. We will thus focus on binary broadcast. 

During the simulation of broadcast, using signatures, it must be avoided that 
previous signatures can be reused by the adversary in a different context, i.e., an 
independent phase or another instance of the protocol. This fact was observed 
in [GLR95] and more profoundly treated in [LLR02]. To avoid such “replay 
attacks” values can be combined with unique sequence numbers before signing. 
The sequence numbers themselves do not have to be transferred since they can 
be generated in a predefined manner (encoding the protocol instance and the 
communication round). However, we will not explicitly state these details in the 
descriptions of the sequel. 

2.3 Setting 

We consider a set P = {pi, ... ,pn} of n players that are connected via a complete 
synchronous network of pairwise secure channels. We assume a FKI to be set up 
among the players. 

A given FKI is consistent if every player pi (i G {!,..., n}) has a secret- 
key/public-key pair (SKi,PKi) which was chosen by pi with respect to the key- 
generation algorithm of a digital signature scheme and, additionally, that each 
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respective public key PKi is known to all players as pi’s public key to be exclu- 
sively used for the verification of pi’s signatures. Asserting that, with respect to 
every signer pi, each player holds the same public key PKi guarantees that pi’s 
signatures can be transferred between the players without losing conclusiveness. 
In our model, the PKI may or may not be consistent.^ 

We assume the existence of an active threshold adversary to corrupt some 
of the players. The adversary may or may not be able to forge signatures. Fur- 
thermore, for our protocols, the adversary is assumed to be adaptive (but non- 
mobile). In contrast, our proofs of optimality even hold with respect to a static 
adversary. As we have three bounds with respect to player corruption, tp, ta, 
and r, we will make a stringent distinction between these bounds and the actual 
number of players corrupted at the end of the protocol, which we will denote 

by/.® 



2.4 Protocol Notation 

Protocols are specified with respect to a player set P and stated with respect to 
the local view of player pi, meaning that all players pt G P execute this code in 
parallel with respect to their own identity i. 

With respect to pairwise communication we also consider reflexive channels 
among the players for simplicity. Thus, when a player pi sends a value to each 
player then pi also receives a copy himself. 

For simplicity, in our protocol notation, we do not explicitly state how to 
handle values received from corrupted players that are outside the specified do- 
main. Such a value is always implicitly assumed to be replaced by a default value 
or by any arbitrary value inside the specified domain. 



3 Generic Broadcast Simulation for t < n/2 

Our broadcast simulations are based on the “phase king” protocol in [BGP89] . 
In [FMOO], it was observed that any protocol for “weak broadcast” is sufficient 
in order to achieve broadcast secure against a faulty minority — as secure as 
the given protocol for weak broadcast. Since all of our tight bounds imply that 
strictly less than half of all players are corrupted we thus only need to give 
respective protocols for weak broadcast. 

Weak broadcast (as called in [FMOO]) was originally introduced in [Dol82] 
under the name crusader agreement. Weak broadcast is the same as broadcast 
for the case that the sender is correct but, if the sender is corrupted, then some 
players might end up with the “invalidity symbol” T — but still, it guarantees 
that no two correct players end up with two different values in {0, 1}. 

^ In case of unconditional pseudo-signatures the situation is slightly different since, 
instead of the same public key PKi, each player pj holds a different “public key” 
PKij (which is in fact secret). 

® As the adversary is adaptive, the number might increase during the execution of the 
protocol, and reach its maximum at the end. 
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Definition 2 (Weak broadcast). A protocol where one player ps has an input 
Xs € {0,1} and every player pi computes an output pi G {0,1, _L} achieves weak 
broadeast if it satisfies the following conditions: 

— Validity: Ifps is correct then every correct player pi computes output pi = 

Xs- 

— Consistency: If player pi is correct and computes pi € {0,1} then every 
correct player pj computes pj G {?/i,_L}. 

In Appendix A, we describe a reduction from broadcast to weak broadcast 
that is simpler and more efficient than the one in [FMOO], yielding the following 
theorem. 

Theorem 1. If at most t < nj2 players are eorrupted then effieient aehievability 
of weak broadcast implies efficient aehievability of broadeast. 

4 Tight Bounds 

We now demonstrate the tightness of the bound given in Bound (1). 

4.1 Efficient Protocol 

We first give an efficient protocol for broadcast and then show how to plug it 
into the MPC protocol in [CDD+99] in order to get out final protocol for efficient 
hybrid MPC. 

Broadcast. For the constructive part, according to Theorem 1, it is sufficient 
to give a construction for weak broadcast. The following protocol is designed for 
any selection of thresholds tp, and T, {tp <t„< T), satisfying Bound (1). 

Let Xs be Ps’s input value, and let (Ts(a;s) be a signature by Ps on the value Xg- 
Furthermore, let V be the signature verification algorithm with respect to the 
underlying signature scheme computing V (x, a, PK) = 1 if cr is a valid signature 
on X with respect to public key PK, and V(a:,(T, PK) = 0 otherwise. Let PK} 
be player pfs version of Ps’s public key. We use Vf(x,a) as a short cut for 
V(a;, (7, PK}). With respect to player pi, we say that a given signature a is valid 
if it is valid with respect to pfs view, i.e., Vf{x,a) = 1. In particular, a valid 
signature with respect to player pi ’s view might in fact not have been issued by 
the respective signer. 

The protocol works as follows. The sender ps signs his input value and sends 
his input together with its signature to every other player: (xs, CTs(a;s)). Every 
player except for the sender now redistributes this information to everybody 
(but without signing this new message himself). Now, every player received n 
values, one from every player. Each player pi now decides on the outcome of the 
protocol: 

~ Let xf be the bit he directly received from the sender. If the bit xf is received 
from at least n — tp different players overall then he computes output pi = xi- 
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— Otherwise, if he received the bit xf together with a valid signature by Ps 
from the sender and at least n — ta different players overall then he decides 
on Hi = Xi. 

— Otherwise, if he received the bit Xi together with a valid signature by Ps 
from the sender and at least n — T different players overall — but no single 
correct signature by Ps for bit 1 — Xi — then he decides on yi = Xi. 

— Otherwise, he decides on = _L. 



Protocol 1 WeakBroadcastp^ (P,Xs) 

1. if i = s then SendToAll(a;s, cts( 2 ;s)) fi; Receive(a:f,(T|),' 

2. if i ^ s then SendToAll(x|, cr|) fi; Vj 7 ^ s: Receive(xl , a/); 

3. U° te G P\xi = 0}; Ul := fe G P\x{ = 1}; 

4 . Sf := {pj G P\xl = 0 A Vn0,ai) = 1}; 

Si ■-= {pj G P\xi = I A F/(l,a^) = l}; 



5. if 



up 



> n — tp then yi := xf 



X • 

elseif Pa G Sp A 

a:? 

elseif Pa G S^'■ A 



X - 

S^' > n — ta then yt := 

> n — T A Sj = 0 then yi := xf 



else yi := _L fi; 
6. return yi 



(A) 

(B) 

(C) 

(D) 



Lemma 1 (Weak Broadcast). Protocol 1 among the players P = {pi, . . . ,p„} 
achieves efficient weak broadcast with sender ps G P if2T+tp < n and T +2t„ < 
n. 

Proof. We show that the validity and consistency properties are satisfied. For 
this, let / be the number of corrupted players at the end of the protocol. Effi- 
ciency is obvious. 

Validity; Suppose that the sender ps is correct. Hence, every correct player 
Pi receives the sender’s input Xg during Step 1 of the protocol, xl = Xg, and a 
signature cr|. 

If / ^ then every correct player pi receives the value Xg from at least 
n — tp different players (including the sender) during Steps 1 and 2. Hence, 
\Uf“\ > n — tp, and pi computes yi = Xg according to Condition (A) in Step 5. 

If tp < f < to- then every correct player pi receives the value Xg together 
with a valid signature by pg (note that the PKI is consistent in this case) from 
at least n — t„ different players (including the sender) during Steps 1 and 2. 
Hence, > n — ta, and pi computes y; = Xg according to Conditions (A) 
or (B) in Step 5. 

lita < f <T then every correct player pi receives the value Xg together with 
a valid signature by pg from at least n — T different players (including the sender) 
during Steps 1 and 2. Hence, \Sf‘\ > n — T and = 0 since the adversary 

cannot forge signatures in this case. Hence, pi computes y; = Xg according to 
Conditions (A), (B), or (C). 
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Consistency; Suppose that some correct player pi computes output yi ^ _L. We 
have to show that hence, every correct player computes an output y^ € {pi, _L}. 

Suppose first, that pi decides according to Condition (A) in Step 5, i.e., 
\Uf'\ > n — tp. For pj this implies that \Uj"\ > — T>n — tp — T>T 

and hence that < n — T and thus that pj cannot compute 

Pj = I — Pi, neither according to Conditions (A), (B), nor (C). 

Second, suppose that pi decides according to Condition (B) in Step 5, i.e., 
I'S'f* I > n — ter- It remains to show that pj does not decide on yj = 1 — pi according 
to Conditions (B) or (C) (the rest is out-ruled by the last paragraph). For pj 
the assumption implies that 



|Cf|>|C/f|-/>n-t.-/> 



n-2tcr>T , a f <ta , 

n - ta - T > , \i f <T . 



Now, if / < to- then |5j *^’ | < |C/| '^' \ < n — T, and pj cannot compute pj = 1 — pi 
according to Conditions (B) or (C). If to- < / < T then < n — and 

Sj' ^ 0 (since the PKI is consistent and pi holds and redistributes a valid 
signature on p^), and thus pj still cannot compute pj = 1 — pi according to 
Conditions (B) or (C). 

Third, suppose that pi decides according to Condition (C) in Step 5, i.e., 
|«5f‘| > n — T and = 0. It remains to show that pj cannot decide on 

Pj = 1 — Pi according to Condition (C). Now, f < tp implies < n — T 

(since > n — T — tp > T), and f > tp implies iSj* ^ 0 (since the PKI 

is consistent). Finally, both implications rule out that pj computes pj = 1 — pi 
according to Condition (C). □ 



Multi-party Computation. The MPC protocol in [CDD+99] unconditionally 
tolerates an (adaptive) adversary that corrupts up to t < n/2 players — but 
assuming broadcast channels to be available. 

Theorem 2. Hybrid MPC is efficiently achievable if2T + tp < n and T +2ta < 
n. 

Proof. Efficient achievability of hybrid broadcast for 2T +tp < n and T +2ta < n 
follows from Lemma 1 and Theorem 1. We can now simulate each invocation of 
a broadcast channel in [CDD+99] with an instance of such a hybrid broadcast 
protocol. Since Bound (1) implies 2T < n, we have that tp < t„ < T < n/2. 
Thus, an adversary that is tolerated in the broadcast protocol is automatically 
tolerated in the MPC protocol. □ 



4.2 Tightness 

We now show that Bound (1) is tight. We do this in three steps. First, we show 
that hybrid broadcast is impossible if tp > 0, t„ = 0, and 2T -|- tp > n. Second, 
we show that hybrid broadcast is impossible if tp = 0, t^ > 0, and T -|- 2ta > n. 
Third, we use the fact that MPC is impossible whenever 2T > n [Cle86]. 
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Impossibility of Broadcast for tp + 2T > n when tp > 0. The proof pro- 
ceeds along the lines of the proof in [FLM86] that unconditional broadcast for 
t > n/3 is impossible. The idea is to assume any protocol among n players that 
(possibly) achieves broadcast for n < 2T + tp {tp > 0, = 0) and to use it 

to build a different distributed system whose behavior demonstrates that the 
original protocol must be insecure. It is important to note that this new system 
is not required to achieve broadcast. It is simply a distributed system whose 
behavior is determined by the protocol or, more precisely, by the corresponding 
local programs of the involved players. Also, it is assumed that no adversary is 
present in this system. Rather, with respect to some of the players, the way the 
new system is composed simulates an admissible adversary with respect to these 
players in the original system. Thus, with respect to these players, all conditions 
of broadcast are required to be satisfied among them even in this new system. 
Finally, it is shown that all of these players’ respective conditions cannot be 
satisfied simultaneously and thus that the protocol cannot achieve broadcast. 



Building the new system. Assume any protocol W for a player set P with sender 
Po and |P| = n > 3 that tolerates 2T + tp > n (with tp > 0). 

Let n = {tto, . . . ,7T„_i} be the set of the players’ corresponding processors 
with their local programs sharing a consistent PKI where player pi’s secret- 
key/public-key pair is (SKi,PKi) and player pj’s copy of the respective public 
key is PK^-. Since 0 < tp < T, it is possible to partition the processors into 
three sets, 7JoUiTiU7J2 = II, such that 1 < |iTo| < tp, 1 < |ITi| < T, and 
1 < III 2 I < T. 

For each tt^ € TJq, let tt' be an identical copy of processor tt^. Let the number 
i denote the type of any processor (or tt', respectively). Furthermore, let 
^0 = € i7o} form an identical copy of set IIq. For all tt^ G TJg, generate 

a new secret-key/public-key pair (SK(,PK() and overwrite tt^’s own secret key 
SKi := SK(. Additionally, for all Wj G il 2 U TJg, overwrite tt^-’s copy of TTi’s public 
key: PKy := PK( (and PK^ := PK'). See Figure 3. 

Instead of connecting the original processors as required for broadcast, we 
build a network involving all processors in IIq U 7Ti U II2 U IIq with their pairwise 
communication channels connected in a way such that each processor tt^ (or tt') 
communicates with at most one processor of each type j G {l,...,n}\{i}. 

Consider Figure 3. Exactly all pairs in (TJoUTIi) x (TJoUTTi), (77iU7T2) x (TJiU 
II 2 ), and (7J2U7 Jq) X (772 U7Tq) are connected by pairwise channels. There are no 
connections between the sets IIq and II2, and no connections between the sets 77i 
and IIq. Messages that originally would have been sent from a processor in IIq to 
a processor in II 2 are discarded. Messages that originally would have been sent 
from a processor in II2 to a processor in IIq are delivered to the corresponding 
processor in IIq. Messages sent from a processor in IIq to a processor in 7Ti are 
discarded. 

We now show that for the sets TTg U TTi, 7Ti U 7 T 2 , and II 2 U TJq, and for 
inputs xq = 0 and Xq = 1 , each set’s joint view is indistinguishable from its view 
in the original setting for an adversary corrupting the remaining processors in 
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PKg/SKo PKg PKJ PKJ/SKo’ 

PKj PKj/SKi PKj PKj 

PKj PKj PK2/SK2 PK2 



Fig. 3. Rearrangement of processors in proof of Theorem 3. 



an admissible way, and possibly have made for a bad PKI if it corrupts at most 
f <tp processors. 

Lemma 2. If the input of ttq is xq = 0 then the joint view of the proeessors 
in TTq U III is indistinguishable from their view in the original system when the 
adversary corrupts the processors in II 2 in an admissible way. 

Proof. By corrupting all processors in II 2 in the original system the adversary 
simulates all processors in 7T2U7 Jq of the new system. For all G TTq it generates 
a new secret-key/public-key pair (SK^,PK^) and overwrites nfs own secret key 
SKi := SK- and, for all tTj G 7 J 2 U TJg, overwrites tt^-’s copy of nfs public key: 
PKij := PK' (and PK^ := PK(). Initially, the adversary overwrites input Xq := 1. 
The PKI among the processors in Hq U ili is still fully consistent and thus the 
joint view of the processors in TJq U ili in the original system is exactly the same 
as their view in the new system. □ 



Lemma 3. If the input of ttq is Xq = 1 then the joint view of the processors 
in II 2 U TTq is indistinguishable from their view in the original system when the 
adversary corrupts the processors in Tfi in an admissible way. 

Proof. By symmetry, this case follows from Lemma 2.® □ 



Lemma 4. The joint view of the processors in 77iUiT2 is indistinguishable from 
their view in the original system when the adversary corrupts the processors in 
Uq in an admissible way. 

® The only difference in this case is that J7 q takes the role of the original set and 
77o the role of its copy. Accordingly, the initial key pairs are (SK(,PK(), the pairs 
(SKi,PKi) are newly generated by the adversary, and xo := 0 is overwritten. 
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Proof. Since |iTo| < tp the adversary can have previously made the PKI incon- 
sistent by generating and respectively distributing the key pairs (SK',PK^ for 
all TTi € TJg (according to Figure 3). By corrupting all processors in TJq in the 
original system the adversary can now simulate all processors in Uq U iTg of the 
new system whereas, initially, it overwrites Xg := 0 and Xq := 1. Thus the joint 
view of the processors in 77i U II 2 in the original system is exactly the same as 
their view in the new system. □ 

Theorem 3. If 2T + tp > n and tp > 0 then there exists no hybrid broadcast 
protocol. In particular, for every protocol there exists a sender input Xg € {0, 1} 
such that a computationally bounded adversary can make the protocol fail with 
some non-negligible probability — by either corrupting T players, or by corrupt- 
ing tp players and additionally having made for an inconsistent PKI. 

Proof. Assume that Xg = 0 and Xg = 1. Then, by Lemmas 2, 3, and 4, each 
mentioned set’s joint view in the new system is indistinguishable from their 
view in the original system. However, for each run of the new system, either 
validity is violated among the processors in 5gi = TJg U 77i or S' 20 ' = II 2 U7T', 
or consistency is violated among the processors in S 12 = 7Ti U 772. 

Thus there is a sender input {xg = 0 or Xg = 1) such that the adversary can 
make the protocol fail with non-negligible probability by uniformly randomly 
choosing a processor set 77^ and corrupting the respective processors correspond- 
ingly. □ 

Impossibility of Broadcast for 2to- + T > n when t^. > 0. The proof of 
this case is very similar to the proof of Theorem 3. 

Theorem 4. IfT-\-2ta- > n and to- > 0 then there exists no hybrid broadcast pro- 
tocol. In particular, for every protocol there exists a sender input xg G {0, 1} such 
that the adversary can make the protocol fail with some non-negligible probability 
— by either corrupting T players, or by corrupting t^ players and additionally 
being able to forge signatures with non-negligible probability. 

Proof. Assume any protocol W for a player set P with sender pg and \P\ = n > 3 
that tolerates 2T -\- ta > n (with to- > 0). 

Let 77 = {7Tg, . . . ,7T„_i} be the set of the players’ corresponding processors 
with their local programs. Since 0 < to- < T, it is possible to partition the 
processors into three sets, 77oU77iU772 = 77, such that 1 < |77g| < T, 1 < |77i| < 
ter, and 1 < |772| < fo- 

For each € 77g, let tt' be an identical copy of processor and, as in the 
proof of Theorem 3, let 77g = {tt' G 77g } form an identical copy of set 77g. 

Consider Figure 4. Exactly all pairs in (77g U 77i) x (77g U 77i), (77i U II 2 ) x 
(77i U II 2 ), and {II 2 U 77g) x {II 2 U 77g) are connected by pairwise channels. 

Again, we show that for the sets 77g U 77i, 77i U 772, and II 2 U 77g, and for 
inputs Xg = 0 and Xg = 1, each set’s joint view is indistinguishable from its view 
in the original setting. 
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Joint view of Uq U 7Ti with xq = 0. By corrupting all processors in II 2 in the 
original system the adversary simulates all processors in IJ 2 U Uq of the new 
system. Since |772| < to-, the adversary can forge all signatures by processors in 
Uq required for the simulation. Initially, the adversary overwrites input Xq := 1. 
Thus the joint view of the processors in TJq U ITi in the original system is exactly 
the same as their view in the new system. 

Joint view of II 2 U TTg with x'q = 1. By symmetry, this case follows from the 
above paragraph. 

Joint view of Ui U7J2. By corrupting all processors in Uq in the original system 
the adversary can simulate all processors in TJq U Uq of the new system whereas, 
initially, it overwrites xq := 0 and Xq := 1. Note that, by corrupting the proces- 
sors in ilo, the adversary gains access to all corresponding secret keys and thus 
is not required to forge any signatures for the simulation. Thus the joint view 
of the processors in 7Ti U II 2 in the original system is exactly the same as their 
view in the new system. 

The theorem now follows along the lines of the proof of Theorem 3. □ 

Multi-party Computation. In order to complete our tightness argument, we 
require the following proposition. 

Proposition 1 ([Cle86]). There is no protocol for MFC secure against T > 
n/2 actively corrupted players. In particular, fairness cannot he guaranteed. 



Theorem 5. Hybrid MFC is impossible if either 2T + tp > n or T + 2t„ > n. 
Froof. The theorem follows from Theorems 3 and 4, and Proposition 1. □ 

5 Conclusion and Open Problems 

We can now conclude tight bounds for the achievability of hybrid MPC with 
respect to thresholds tp, t„, and T. 
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Theorem 6. Hybrid MFC is (efficiently) achievable if and only if 2T -\-tp <n 
and T + 2t„ < n. 

Proof. The theorem follows from Theorems 2 and 5. □ 

In particular, assuming the PKI to be consistent in any case (as in the alter- 
native model for [GMW87] assuming a PKI instead of broadcast) we can drop 
parameter tp and immediately get the tight bound 2T < n A T + 2t„ < n. 
This means that, with respect to this model, computational security against 
f < T < n/2 corrupted players can be combined with unconditional security 
against f < to- corrupted players. 

The characterization given in Theorem 6 is tight with respect to fully secure, 
robust MPC. However, as mentioned in the introduction, non-robust MPC is 
also possible in presence of a corrupted majority. Thus, for the case tp = 0, it 
remains an open question whether hybrid non-robust MPC can be achieved for 
any T + 2t„ < n. 
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A Reducing Broadcast to Weak Broadcast 

In this section we describe how to efficiently reduce broadcast to weak broadcast 
in a way that is more direct than in [FMOO]. Given that at most t < n/2 play- 
ers are corrupted the resulting protocol for broadcast is as secure as the given 
protocol for weak broadcast. 

In a first step, weak broadcast is transformed into a protocol for graded 
consensus (Section A.l), the “consensus variant” of graded broadcast introduced 
by Feldman and Micali in [FM97]; and finally, graded consensus is transformed 
into broadcast (Section A. 2). 

A.l Graded Consensus 

In graded consensus, every player has an input x and receives two outputs, a 
value y G {0, 1} and a grade g G {0, 1}. If all correct players start with the same 
value X then all players output y = x and g = 1. Additionally, if any correct 
player ends up with grade g = 1 then all correct players output the same value 
y, i.e., computing g = 1 means “detecting agreement.” 



Definition 3 (Graded Consensus). A protocol where every player pi has an 
input Xi G {0, 1} and computes two output values yi,Qi G {0, 1} achieves graded 
consensus if it satisfies the following conditions: 
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— Validity: If all correct players have the same input value x then every 
correct player pi computes yi = x and gi = 1. 

— Consistency: If any correct player pi computes gi = 1 then every correct 
player pj computes yj = yi . 

The following protocol for graded consensus basically consists of two consec- 
utive rounds wherein each player weak-broadcasts a value. Note that, in Step 4 
of the protocol, the domain of weak broadcast is ternary, namely {0, 1,_L}. Fol- 
lowing the restriction to focus on protocols with binary domains we can simply 
interpret such a protocol as being simulated by two parallel invocations of binary 
weak broadcast. 

Protocol 2 GradedConsensus (P, a;i) 

1. Vj € {1, . . . ,n} ■. WeakBroadcastp^- (P, Xj); 

—J^j £{!,.. -,n}\xl = 0}; S} ■- {j G {1, . . ■ ,n}\xl = 1}; 

3. if ISP I > n — t then Zi := Xi else Zi := _L fi; 

4- Vj G {1, . . . , n} : zl := WeakBroadcastp^. (P, Zj); 

5. T° := {j G {1, . . .,n}\zi = 0}; Tf := {j G {1 , . . . ,n}\zf = 1}; 

6. if |Tf| > |r/| then yi ~ 0 else yi := 1 fi; 

7. if |rP| > n — t then gi := 1 else Qi = 0 fi; 

8. return (yi,gi) 



Lemma 5 (Graded Consensus). If Protocol WeakBroadcast achieves weak 
broadcast then Protocol 2 achieves graded consensus secure against t < n/2 cor- 
rupted players. 

Proof. 

Validity: If all correct players hold the same value x at the beginning of the 
protocol then, by the validity property of weak broadcast, |Sf‘| > n — t > t 
for every correct player pi and thus Zi = Xi = x. Finally, \Tf\ > n — t > t, 
< n — t, and yi = x and gi = 1. 

Consistency: Note that every correct player pi that does not compute Zi = 1. 
(in Step 3) holds the same value Zi = z: By the validity property of weak 
broadcast, |Sf*| > n — t implies that < t < n — t. 

Now, let Pi and pj be two correct players and suppose that pi decides on 
yi = y & {0, 1} and gi = 1. We have to show that yj = y. 

From gi = 1 it follows that |T|^| > n — t > t and thus that at least one correct 
player pk must have sent Zk = y during Step 4, and with the above remark, that 
no correct player pk can have sent Zk = I — y during Step 4. 

Let £ be the number of corrupted players who distributed value y during 
Step 4. Now, \Tf\ > n — t implies |Tj| >n — t — £>t — £ and \Tj~^\ < t — £ 
since only the remaining t — £ corrupted players can have sent value y during 
Step 4. Thus, pj computes yj := y = yi. □ 
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A. 2 Broadcast 

For simplicity, without loss of generality, assume s = 1, i.e., that pi is the sender 
of the broadcast. 

Protocol 3 Broadcastp,^ (F,xi) 

1. p\: Send X\; Receive (j/i) 

2. Pi: for A: = 2 to t + 1 do 

3- iVi^gi) := GradedConsensus (P, J/i); 

4- Pk: Send yt; Receive(j/f) 

5. if ffi = 0 then j/i := j/f fi 

6. od; return j/i 

Lemma 6. Suppose that Protocol GradedConsensus achieves graded consensus. 
If in Protocol 3, for some k G {2, . . . + 1}, every correct player pi holds the 

same value pi = b at the beginning of Step 3 then pi = b holds at the end of the 
protocol. 

Proof. Suppose that j/i = 6 G {0, 1} for every correct player pi before Step 3 (for 
some k). Because of the validity property of graded consensus, after Step 3, (for 
k), every correct player pi holds Pi = b and (// = 1, and thus ignores Step 5, (for 
k). Thus, by induction, every correct player pi ends the protocol with yi = b. □ 

Lemma 7 (Broadcast). If Protocol GradedConsensus achieves graded con- 
sensus then Protocol 3 achieves broadcast with sender pi (for any t <n). 

Proof. We show that the validity and consistency properties of broadcast are 
satisfied. 

Validity; Suppose the sender pi to be correct with input Xg = b. Hence, every 
correct player pi holds value Pi = b before Step 3 for k = 2. And by Lemma 6, 
every correct player pi ends the protocol with pi = b. 

Consistency; If the sender is correct then consistency is implied by the validity 
property. Assume now that p\ is corrupted. Hence there is a correct player pk 
{k G {2,...,t + l}). We now argue that, for such a k where pk is correct, every 
correct player pi holds the same value pi after Step 5. Then, together with 
Lemma 6, the consistency property follows. 

First, suppose that every correct player pi holds Pi = 0 after Step 3. Then 
all of them adopt pk’s value, pi = j/f, and consistency follows from Lemma 6. 
Suppose now, that any correct player pi holds Pi = 1 after Step 3. Then, by the 
consistency property of graded consensus, pk and every other correct player pj 
hold Pk = Pi = Pj, and consistency follows from Lemma 6. □ 

Theorem 1. If at most t < nf2 players are corrupted then efficient achievability 
of weak broadcast implies efficient achievability of broadcast. 

Proof. Since the given construction for broadcast involves a polynomial number 
of invocations of weak broadcast (2n(t + 1)), the theorem follows directly from 
Lemma 7. □ 
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Abstract. We revisit the following open problem in information-theo- 
retic cryptography: Does the communication complexity of uncondition- 
ally secure computation depend on the computational complexity of the 
function being computed? For instance, can computationally unbounded 
players compute an arbitrary function of their inputs with polynomial 
communication complexity and a linear threshold of unconditional pri- 
vacy? Can this be done using a constant number of communication 
rounds? 

We provide an explanation for the difficulty of resolving these questions 
by showing that they are closely related to the problem of obtaining ef- 
Hcient protocols for (information-theoretic) private information retrieval 
and hence also to the problem of constructing short locally-decodable 
error-correcting codes. The latter is currently considered to be among 
the most intriguing open problems in complexity theory. 



Keywords. Information-theoretic cryptography, secure multiparty computa- 
tion, private information retrieval, locally decodable codes. 

1 Introduction 

In STOC 1990, Beaver, Micali, and Rogaway [5] posed the following question: 

Is there a constant-round protocol that allows k computationally un- 
bounded players to defeat a computationally unbounded adversary, while 
using only a polynomial amount of communication in the total length of 
their inputs? 

This question is still wide open today: it is not known whether all functions 
admit such a protocol, even in the simple case that the adversary can passively 
corrupt only a single player, and even without any restriction on the number of 
rounds. 

A partial answer to the above question was given by Beaver, Feigenbaum, 
Kilian and Rogaway [4]. They showed that such a round- and communication- 
efficient protocol exists when the number of players is roughly as large as the 
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total input size. More precisely, every function / of n input bits can be t-securely 
computed by A: = 0(tnj logn) computationally unbounded players using poly(n) 
communication complexity and a constant round complexity. Note that this 
result is meaningless when the number of players is fixed (even when t = 1), 
since it requires the number of players to grow with the input size . This should 
be contrasted with the fact that, ignoring complexity issues, the optimal security 
threshold is a constant fraction of the number of players, regardless of the input 
size. Again, the problem of resolving these difficulties was posed as an open 
question in [4].^ 

As noted above, if there is no limit on the resources used by the players, 
then any function / can be computed by k players with a linear threshold of 
information-theoretic security. This can also be done in a constant number of 
rounds. However, all general-purpose protocols achieving this have a somewhat 
unexpected common feature: their communication complexity depends on the 
computational complexity of / (either its circuit complexity if there is no re- 
striction on the number of rounds [7,10,12], or its formula- or branching pro- 
gram complexity in the constant-round case [2,19]). It seems quite unlikely that 
a purely information-theoretic complexity measure would be so closely linked 
with computational measures. However, so far there has been no significant neg- 
ative evidence against this link nor a positive evidence to support it. 

The main goal of this work is to establish a close connection between the 
above questions and other well-known open problems. These problems are dis- 
cussed below. 

Private information retrieval (PIR). A private information retrieval (PIR) 
protocol allows a user to retrieve an item i from a database of size N while hiding 
i from the servers storing the database. The main cost-measure of such protocols 
is the communication complexity of retrieving one out of N bits of data. There 
are two main settings for PIR. In the information-theoretic setting [11,1,6], there 
are k > 2 servers holding copies of the database and the default privacy require- 
ment is that each individual server learn absolutely no information about i. In 
the computational setting for PIR [8,22,9] there is typically only a single server 
holding the database, and the privacy requirement is relaxed to computational 
privacy. While the complexity of PIR in the computational setting is pretty well 
understood (an “essentially optimal” protocol with polylogarithmic communica- 
tion can be based on a reasonable cryptographic assumption [9]), the situation is 
very different in the information-theoretic setting. For any constant k, the best 
upper bound on the communication complexity of fc-server PIR is some fixed 
polynomial in N, i.e., 0(N^/'^'=) where Cfc is a constant depending on k. (The 
current best bound on Cfc is 17 (fc log fc/ log log A:) [6].) On the other hand, the 
best known general lower bound on the communication complexity of A;-server 

^ These questions should not be confused with another major open problem in 
information-theoretic MFC: does every polynomial-time computable function ad- 
mit a constant-round protocol which is computationally ejficient? Our results do not 
have direct relevance to this question. However, our results do have relevance to the 
variant of this question which allows the protocols to be computationally inefficient. 
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PIR is logarithmic in N [23]. Hence, there is an exponential gap between known 
upper and lower bounds. From now on, the term PIR will refer by default to 
information-theoretic PIR. 

Symmetrically Private Information Retrieval (SPIR). The original PIR 
model is not concerned with protecting the privacy of the data, and allows the 
user to learn arbitrary additional information (in addition to the selected bit). 
The stronger SPIR primitive [15] requires, on top of the PIR requirement, that 
the user learn no additional information about the database other than the 
selected bit. This may be viewed as an information-theoretic analogue of ('^)- 
Oblivious Transfer. We use SPIR as an intermediate primitive for establishing 
the connection between PIR and multi-party computation. In doing so, we need 
to establish a tighter reduction from SPIR to PIR than the one shown in [15]. 

Locally-decodable codes (LDC). Standard error-correcting codes can pro- 
vide high fault tolerance while only moderately expanding the encoded message. 
However, their decoding procedure requires to read the entire encoded message 
even if one is only interested in decoding a single bit of this message. LDC si- 
multaneously provide high fault tolerance and a sublinear-time “local” decoding 
procedure. To make this possible, the decoding procedure must use randomness 
for selecting which bits to probe, and some error probability must be tolerated. 
More formally, a code C : {0, 1}^ ^ is said to be {k, S, e)-locally decodable if 
every bit Xi of x can be decoded from y = C{x) with success probability> 1/2 -|-e 
by reading k (randomly chosen) symbols of y, even if up to a (5-fraction of the 
symbols in y were adversarially corrupted. The main complexity question re- 
lated to LDC is the following: Given a constant number of queries k, what is 
the minimal length M{N) of a (fc, i5, e)-LDC? In studying this question, one typ- 
ically requires (5, e to be bounded by some fixed constants (independently of N). 
However, the problem appears to be as difficult even if S, e are sub-constant (say, 
S,e = 2~ ") as long as they are not exponentially small. 

Katz and Trevisan [20] have shown an intimate connection between this ques- 
tion and information-theoretic PIR. In particular, a fc-server PIR protocol in 
which the user sends a{N) bits to each server and receives f3{N) bits in return 
can be used to construct a fc-query LDC of length 0{k2°‘^^^) over S = {0, 
Accordingly, the best upper bound on the length of a fc-query LDC is exponen- 
tial in N and the best general lower bound is polynomial in N [20] . The question 
of obtaining stronger lower bounds for LDC has recently received a significant 
amount of attention [20,17,13,27,21], and progress on this question appears to 
be very difficult. 

1.1 Our Results 

We prove that the problem of obtaining communication-efficient constant-round 
protocols for arbitrary functions is closely related to the problem of obtaining 
communication-efficient PIR protocols. Relying on known connections between 
PIR and locally decodable codes [20], we obtain a similar connection between 
the communication complexity of unconditionally secure multiparty computation 
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and the length of locally decodable codes. In particular, strong negative results 
for the former problem would imply strong negative results for the latter, which 
so far seem elusive. 

The above high-level statements hide some subtleties. By default, we will view 
the number of players as constant, and measure the complexity of protocols in 
terms of their input size. Hence, by referring to the existence of communication- 
efficient protocols with a linear security threshold we mean the following: there 
exists a constant c < 1/2 such that for all k there exists a polynomial p{-) (pos- 
sibly depending on k) such that for all functions / : {0, 1}” ^ {0, 1} there exists 
a fc-player [cfcj -private protocol that computes / with p{n) communication.^ 

Also, the term “security” refers here to security against honest-but-curious, 
computationally unbounded players (or equivalently a passive, unbounded ex- 
ternal adversary). 

With the above terminology in hand, we can now informally state our main 
results (which are actually special cases of more general theorems). The first of 
these results connect between the existence of very efficient PIR protocols and 
the existence of communication-efficient multiparty computation (MPC): 

~ (from PIR to MPC) If there exists a I-round, polylog communication, PIR 
with a constant number of servers then there exist communication-efficient, 
statistically private, constant-round, multiparty protocols with a linear pri- 
vacy threshold. 

Moreover, if the PIR protocol that we start with is so-called linear then this 
transformation yields perfect multiparty protocols. 

— (from MPC to PIR) If there exist communication-efficient multiparty proto- 
cols with a linear privacy threshold then there exists polylog communication 
PIR with a constant number of servers. Moreover, this transformation main- 
tains the number of rounds. 

Using the above results, combined with the connections between PIR and locally 
decodable codes mentioned above, we get the following additional corollaries: 

— (from LDC to MPC) If there exist constant-query LDCs of quasi-polynomial 
length and alphabet of quasi-polynomial size then there exist communication- 
efficient, statistically private, constant-round, multiparty protocols with a 
linear security threshold. 

— (from MPC to LDC) If there exist communication-efficient multiparty proto- 
cols with a linear privacy threshold then there exists a constant-query LDC 
of quasi-polynomial length, quasi-polynomial size alphabet and parameters 
e, 5 which are 1/quasipoly (TV). (It should be noted that all currently known 
LDC with these parameters are of exponential size (i.e., 2^ * '); therefore, 
codes with quasi-polynomial parameters, as those mentioned here, are con- 
sidered non-trivial.) 

^ Here and in the following, the n input bits of / may be arbitrarily partitioned 
between the k players. 
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To conclude, strong (upper or lower) bounds on the communication complex- 
ity of MFC should be roughly as difficult as strong bounds on LDCs, up to some 
loss in the achieved parameters. 



1.2 Related Work 

There is a vast literature on secure computation in the information-theoretic 
setting and on private information retrieval. However, most related to the current 
work are [4] and [24]. 

As noted above, [4] obtain communication-efficient protocols for arbitrary 
functions, whose security threshold decreases almost linearly with the input size. 
Their protocol was related to constructions of locally-random reductions [3], 
which in turn are related to FIR. However, the protocol of [4] made a heavy use 
of special “easiness” properties of the underlying locally-random reductions, and 
thus did not provide an indication that a more general relation exists. 

Naor and Nissim [24] study the question of turning a communication-efficient 
two-party protocol into a secure one without incurring a significant communica- 
tion overhead. In doing so, they make use of an idealized (^)-OT, which in turn 
(using reductions from [25,14]) can be based on single-server FIR with poly loga- 
rithmic communication. However, in the two-party setting considered in [24] our 
main result becomes trivial, as the secure computation of an arbitrary function 
reduces to a single table lookup. 

Organization: In Section 2 we provide some necessary definitions and nota- 
tion. Section 3 deals with transforming FIR protocols into SFIR protocols and 
Section 4 with transforming the latter into MFC protocols. Section 5 describes 
a construction of FIR protocols from multiparty protocols. Finally, in Section 6 
we discuss the relation between LDC and FIR. 

2 Preliminaries 

In this section we sketch the definitions of the main primitives considered in this 
work. Since these are very basic and well known primitives, the purpose of this 
section is mainly to set up the notation and terminology used in this paper. For 
more detailed definitions the reader is referred to the relevant literature. 

2.1 MFC 

A secure multiparty computation (MFC) protocol allows a set of k players 
V\, . ■ . ,Vk to compute some function / of their local inputs while hiding the 
inputs from each other. By default, we consider functions / : ({0, 1}”)^ — > 
{0, 1}. When computing such a function, each player Vi holds an n-bit input 
ai G {0, 1}", and all players output /(oi, . . . ,Ofc). Our results easily extend to 
more general types of functionalities (e.g., allowing non-boolean outputs and 
different outputs to different players). 
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In this work we consider MFC in the pure information-theoretic setting, where 
both the legitimate players running the protocol and the adversary attacking it 
have unlimited computational resources. We restrict our attention to security 
against a passive adversary (or honest-but-curious players), also referred to as 
privacy. In this setting, a fc-party protocol is said to t-privately compute / (where 
1 < t < fc) if the following requirements are met: 

— Correctness. The players always output the correct output /(oi, . . . , Ofe). 
~ t- privacy. The view of any set B of at most t players depends only on the 
inputs of the players in B and the output of the function. That is, on any two 
input vectors a, a' such that aB,a'g and /(a) = the view of players 

in B is identically distributed. 

The above perfect correctness requirement can be naturally relaxed to e- 
correctness, allowing the output to be incorrect with probability e. Similarly, the 
perfect privacy requirement can be relaxed to (t, e)-privacy, requiring that for 
any set B of at most t players the distributions of its view on any two inputs 
vectors a, a' as above are in statistical distance of at most e. Moreover, it is 
convenient to assume that the above e-privacy requirement hold given every 
choice of the random inputs of players in B.^ 

While the case of perfect MFC is the more interesting one and is the one 
usually considered in the literature, some of our transformations will only yield 
non-perfect protocols. In all such cases, e can be made negligible in n. 

2.2 PIR 

Frivate Information Retrieval (FIR) schemes are protocols for fc -I- 1 parties: 
servers Si, . . . ,Sk, which are given an Wbit string x G {0, 1}'^ as input (some- 
times referred to as a database), and a userU, which is given as input an index 
i G [N] . A FIR protocol allows communication between the user and the servers; 
we assume, without loss of generality, that the servers do not communicate with 
each other directly.^ The goal of the protocol is for the user to learn the value 
Xi while, at the same time, keeping i private. This is captured by the following 
requirement. 

User-privacy: Denote by Vj[x,i] the random variable containing the view of 
server Sj in the protocol when the database is x and the user wishes to retrieve 
Xi- User-privacy requires that, for any server Sj, the view Vj is independent of i 
(i.e., for all x,i,i' the views Vj[x,i] and Vj[x,i'] are identically distributed). We 
will also consider a relaxed variant, termed e-PIR, in which we only require that 

® This assumption is without loss of generality, since there is at most an yT-fraction 
of the random input choices given which the distance is larger than yT. For suffi- 
ciently small e, these bad choices can be eliminated without significantly altering the 
protocol’s behavior. 

^ Since we are interested in the honest-but-curious setting, and since there is no privacy 
requirement with respect to the user, communication between the servers can always 
be done with the help of the user. 
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the statistical distance between Vj[x,i] and Vj[x,i'] be bounded by e. The latter 
requirement will be referred to as e-user-privacy. 

The complexity of PIR schemes is measured mainly by their communication 
complexity. We denote by a{N) the total number of bits sent in the protocol 
from the user to the servers, by f3{N) the total number of bits sent from the 
servers to the user, and by m{N) the total communication (in either direction). 

2.3 SPIR 

Symmetrically Private Information Retrieval (SPIR) schemes are PIR schemes 
that satisfy an additional data-privacy requirement, guaranteeing that the only 
information obtained by the user in the protocol is the intended output xp. 

Data-privacy: Denote by Vu[x,i] the random variable which is the view of 

the user in the protocol where the servers hold database x the and user’s input 
is i. We require that, for all i and for all strings x,x' such that Xi = a;', the 
views Vu[x,i] and Vu[x' ,i] are identically distributed. We will also consider a 
relaxed variant, termed e-SPIR, in which we require that the statistical distance 
between these two views be bounded by e and, as in the case of PIR, also allow 
e-user-privacy. 

It should be noted that in the literature (see [15]) information-theoretic SPIR 
is discussed in a setting where all servers share a common random string (CRS) 
which is unknown to the user. This assumption is necessary if no direct com- 
munication between the servers is allowed. In contrast, the use of SPIR in this 
paper cannot allow the servers to share a CRS. We therefore allow servers in a 
SPIR protocol to directly communicate with each other. 

Note that SPIR in this setting can also be viewed as a special case of MPC: 
the MPC consists of fc -I- 1 players, the user and the k servers, whose inputs are 
restricted to so that all servers hold an identical input x, and whose privacy 
constraints are those obtained by setting t = 1 in the formal definitions of MPC. 
A similar view can be taken with respect to PIR, except that here the privacy 
constraint for the user is removed. 

3 Prom PIR to SPIR 

In this section we show how to transform a (perfect or non-perfect) PIR scheme 
with communication complexity m{N) into an e-SPIR scheme with communi- 
cation complexity poly(m(fV)) (in the model where no CRS is available). This 
transformation maintains the number of rounds® but has a small penalty of 
increasing the number of servers from k to fc -I- 1. 

A good starting point for presenting our transformation is to recall the trans- 
formation of [15], obtaining SPIR with perfect data-privacy in the case where a 

® In the context of PIR, a round is an exchange of messages from the user to the 
servers and back. In the context of SPIR we also allow, in parallel, a communication 
between the servers. 
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CRS is available. Its main disadvantage from our point of view is that the CRS 
in use is very long, and so modifying it to the setting with no CRS does not 
seem obvious. We will show, however, that such a modification can still be done. 
We therefore start with the solution from [15]; it assumes a CRS denoted r of 
length N that is available to fc + 1 servers 5i, . . . ,Sk,Sk+i- 

1. The user U picks a random shift A G [N] and sends it to the servers 
Si, ■ ■ ■ ,Sk- 

The user also sends the shifted index i+A to Sk+i (here and below, whenever 
an index is larger than N it should be understood that N is subtracted from 
it). 

2. U,Si, . . . ,Sk execute the assumed PIR scheme where U uses i as its input 
and the servers use y = x (B {r A) as their input. This scheme allows U 
to compute yi = Xi® ri+/\ (but may potentially leak additional information 
about y). 

U also receives from Sk+i the bit ti+a- It xors this bit with yi to obtain Xi. 

Intuitively, user-privacy follows from the fact that the view of each of 
S\,...,Sk is exactly as in the PIR protocol and the view of Sk+i consists of 
a random index (independent of i) . Data-privacy follows from the fact that y is 
uniformly distributed in {0, 1}^ and that the only bit of r which is available for 
hi is This intuition is formally proved in [15]. The communication complex- 
ity of the above SPIR protocol is dominated by the communication complexity 
of the PIR. The round complexity also remains unchanged (note that Step 1 can 
be executed in parallel to the first message of Step 2) . 

Next, we wish to modify the transformation to work in the setting where no 
CRS is available. A natural approach is to let the server Sk+i choose the string 
r Gfl {0, 1}^, distribute it among all other servers (but not the user) and then 
run the protocol above. While this modification still respects both user-privacy 
and data-privacy, the communication complexity grows hy k- N (since the length 
of r is N) and hence it makes the whole protocol useless for our purposes. 

To overcome this, we will show the existence of a “small” set of strings 
TZ C {0, 1}^ that “fools” the protocol; namely, the user’s views obtained in the 
modified protocol in which Sk+i picks r Gn TZ are statistically close to those 
obtained in the protocol above. The overhead of this transformation will only 
be k • log [7^1 (rather than k • N), which will be small enough. However, the 
transformation will no longer obtain perfect data-privacy. The theorem that we 
prove is as follows: 

Theorem 1. Fix k > 2 and e > 0. Assume that there exists a k-server PIR 
protocol V with communication complexity m{N) and round complexity d{N) 
that satisfies ei-user-privacy, for some ci > 0. Then, there exists a {k + 1)- 
server SPIR protocol V' with communication complexity 0{m{N) + log(l/e)) 
and round complexity d{N) that satisfies ci -user-privacy and e- data-privacy. 

The rest of this section is organized as follows. We first formalize a technical 
lemma about the existence of a set TZ as needed. Then, based on this lemma, we 
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present and analyze the modified transformation from PIR to SPIR. Finally, we 
prove the lemma (this is a fairly standard proof, in complexity theory contexts, 
that uses a probabilistic argument and is given here for the sake of completeness). 

Let TZ C {0, 1}^ and let C : {0, 1}-^ ^ [M] be a function. Denote by C{71) 
the random variable obtained by applying C to a, random element of TZ and by 
C{U) the random variable obtained by applying C to a uniformly random fV-bit 
string. We say that TZ e-fools the function C if the statistical distance between 
C{TZ) and C{U) is bounded by e. Let C be a family of functions. We say that TZ 
e- fools C if it e- fools every function C G C. 

Lemma 1. Let C be a family of functions from {0, 1}'^ to [M] and let e > 0. 
Then, there exists asetTZc C {0,1}'^ of size poly(l/e, M, log |C|) that e-fools C . 

It should be noted that we will apply the above claim with C which is signifi- 
cantly smaller than the set of all functions. Also note that TZc may depend 
on C; obviously, there can be no single TZ that is good for all families C, even if 
C can only contain a single function. 

We defer the proof of the lemma and now describe the modified transforma- 
tion. We are given a PIR protocol 'P, and assume for now that 7^ is a perfect, 
one-round protocol (which is the case for all known PIR protocols; the multi- 
round case will be discussed in Remark 1 below and the non-perfect case in 
Remark 2 below). The protocol starts by server 5fc+i picking r Gr TZ, from a 
carefully chosen TZ (specified below) and sending its index (log \TZ\ bits) to all 
other servers. The SPIR protocol then proceeds as the SPIR protocol described 
above. 

User-privacy is easy to argue, independently of the choice of TZ] indeed, user- 
privacy in the original transformation holds for any choice of r, in particular 
for all r G TZ. To argue the data-privacy, we first have to define the set TZ. For 
this, we define a family of functions C that our set TZ will be able to fool. Fix 
some database x G {0, 1}^ and a sequence of queries q= {qi, . . . , qk, qk-ei) that 
may be sent in our protocol from the user to the k t servers. Let Cx,q(r) be 
the function that returns the sequence of all answers that the user gets from the 
servers, as a function of r, when the database is x and its queries were q. Let C be 
the family of all functions Cx,q{r), parameterized by the choice of x and q. Note 
that the length of the queries is bounded by a{N) and the length of the answers 
is bounded by (3{N) (it is therefore convenient to set M Also note 

that the size of C is 2-^ • For this family C, we pick TZ = TZc as promised 

by Lemma 1 . This choice of TZ guarantees that the view seen by the user (which 
is determined by Cx,q{r)) is e-close if r is truly random or if r Gr TZ. Hence, by 
the perfect data-privacy of the original transformation, we get e-privacy of the 
modified transformation. 

Finally the communication complexity consists of the communication com- 
plexity of the original PIR (which is m{N) = a{N) f){N)), the communication 
between the user and Sk+i (which is log A^-|-l bits) and the cost of sending r from 
Sk+i to all other servers (which is /c-log |7^c| = 0(log l/e-|-logM-|-loglog |C|) = 
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0(log 1/e + /3(-/V) + a(lV) + log TV) = 0{m{N) + log 1/e)). This implies that the 
communication overhead of the transformation is fairly small. 

Proof of Lemma 1: We prove the lemma by picking at random a set R C 
{0,1}'^ of w strings (each is chosen uniformly and they are all independent). 
To prove the lemma, it suffices to show that for all C G C no (statistical) dis- 
tinguisher can distinguish between the random variables C{TZ) and C{U) with 
more than an e-advantage, where a (statistical) distinguisher is just a subset 
T C \M] of all possible outputs. For this, we first fix some C and T and bound 
from above the probability that, for a random TZ, the distinguisher can tell apart 
C{TZ) from C{U). Namely, for some “small” S we wish to prove that 

Pr [|Pr(C'([7) G T) - Pr(C'(7^) G T)| > e] < <5. 

Let p Pr(C(C/) G T). Therefore, we need to prove that when sampling w 
times a binomial distribution that gives 1 with probability p, the probability 
that the average will deviate from p by more than e is bounded by S. This kind 
of bounds is given by Chernoff bounds. Specifically, it can be shown that if 
w = poly(l/e,log(l/(5)) then this probability is indeed bounded by S. Now, if we 
set 6 < 1/(|C| • 2l^l) it follows by a union bound argument that there exists a 
choice of TZ such that for all 2^ distinguishers, and for each of the \C\ functions 
C G C, we have | Pr(C'(C7) G T) — Fr{C{TZ) G T)| < e, as needed. The size of this 
7^ is w = poly(l/e, M, log |C|), as needed. | 

Remark 1. We dealt above with the case that the PIR scheme P is a one-round 
scheme. We outline here how a similar construction can be applied in the case 
where P is a multi-round PIR. Essentially, we apply the same transformation as 
above; we just need to re-define the set of functions C and as a result the set TZc 
that fools these functions. The set C is defined by the collection of all functions 
Cx,q as before, except that this time q includes all the communication sent by 
the user in all rounds and Cx,q(r) returns all the answers sent by the servers 
over all rounds. TZq is now defined by applying the lemma to this C and with 
e' = e/2°‘^^\ We claim that the resulting SPIR protocol, V , is indeed e-private. 
Suppose to the contrary that there is a distinguisher T that participates in V' 
and can tell, with advantage more than e, whether r is chosen from U or from TZ. 
We argue that this allows us to construct a distinguisher T' that can tell C{R) 
from C{U), for some C, with advantage better than e', contradicting the choice 
of TZ. The distinguisher T' works by guessing q, i.e. guessing all the messages 
sent by the user over all rounds of the protocol (a total of a{N) bits), randomly 
picking the user’s random input, and asking to see the value of Cx,q{r). (In 
case where the servers in V are randomized, the latter should also depend on 
their uniformly chosen random inputs.) If the answers are consistent with the 
queries guessed by T', it applies T to guess whether r comes from U or from 
TZ; otherwise, it just guesses at random. The advantage of T' in this guess is 
l/2“(^) (the probability of guessing q correctly) times the advantage of T. Note 
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that even though e' <C e, since the communication grows by log \R\ the effect of 
using e' rather than the original e is just an additive factor of a{N). 



Remark 2. The same transformation, as described above, can be applied to an 
ei-PIR. The user-privacy of the SPIR that we obtain remains as in the PIR (i.e., 
£i) and the data-privacy has a parameter e. 



Remark 3. It is important to note that our transformation is inherently non- 
perfect. However, we point out that there is an important special case in which 
an alternative perfect transformation can be presented; this is the case of linear 
PIR (or LPIR, for short). LPIR is a variant of PIR discussed in the literature; 
it is a one-round protocol where the servers’ answers are viewed as vectors in a 
space and the user computes its output Xi by taking a linear combination 
of the k answers, whose coefficients may depend on i and on the user’s random 
input. All information-theoretic PIR schemes from the literature are linear in 
this sense. The perfect transformation is now obtained as a combination of two 
facts: The first is that any fc-server LPIR protocol with m{N) communication 
can be transformed into a linear 2/c-server protocol with query length m{N) in 
which the user outputs the sum of the 2k answers [16] (see [6] for details). The 
second is the existence of a simple MPC protocol to privately compute the sum of 
k elements in F with 0{k) communication and two rounds. Our transformation 
for this case will therefore work as follows: given the LPIR protocol, we construct 
the protocol with short answers but instead of the servers sending their answers 
to U they will invoke the private protocol for computing Xj in a way that only 
U will learn the result. In fact, it is possible to avoid doubling the number of 
servers by replacing the second step above with a private multiparty protocol 
for the following function. The input of each server is its answer to the user’s 
query in the LPIR protocol. The user’s input is a vector u representing the linear 
combination of the servers’ answers which is needed to reconstruct Xi (note that 
u should remain private, as it may depend on t). The function should return 
the value of Xi, which is a degree-2 polynomial in the inputs. Note that, due to 
the easiness of the above function, it can be efficiently computed using standard 
MPC protocols (e.g., [7]). 

4 Prom SPIR to MPC 

In this section we show how to construct, based on a one-round /c-server SPIR, 
constant-round, I-private multiparty protocols for k' = k^ + 2 players that 
can compute any function /. If the communication complexity of the SPIR is 
m{N) then the communication complexity of the multiparty protocols will be 
poly(TO(fV)). If the SPIR protocol is only e-private then the MPC protocol is 
0(e)-private (where as usual, k is viewed as a constant). 

Let V be the given SPIR protocol. Denote the k“^ + 2 players of the multiparty 
protocol by G [k] and Vi,V 2 - Also assume, without loss of generality. 
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that in the given function / only Vi,'P2 have inputs ®. We therefore denote 
the input of these two players by 01,02 and the desired output by /(oi,02). 
Intuitively, the protocol views the function as a table F of size N x N where 
N 2". The goal is for, say, Vi to retrieve the (01,02) index of this table, 
which is just the desired /(oi, 02). The MFC protocol proceeds as follows: 

1. Player Vi applies the SPIR protocol with index oi G [N] to generate queries 
(71, ... , qk- It sends each query qi to all players Sij,j G [/c] (i.e., each query 
is sent to k players; intuitively, this is done to create the replication needed 
in the next step of the protocol).^ 

Each player Sij, upon receiving the query qi, computes (but does not send) 
the answer in the SPIR protocol to the query qi if the database was Fa^, 
the 02-th column of the table F; since the actual value of 02 is not known 
to Sij it does so for all possible values 02 G [iV] hence obtaining a vector Ai 
consisting of all N answers to qi (each is a f 3 {N)-hit string). In particular, 
note that each Ai is therefore replicated among k players. 

2. Player V2 applies the SPIR protocol with index 02 G [A^] to generate queries 
q[,. . . ,q').. It sends each query g' to all players Sij ,i G [k]. 

Each player Sij, upon receiving the query g', computes the answer it would 
give in the SPIR protocol, when its database is Ai (as computed in the 
previous step).® It sends this answer, bij to 7^2- 

3. Upon receiving the answers bij, the player V2 does the following: It uses, for 
each i, the k answers bij,j G [k] to obtain the 02-th block of Ai (for this it 
applies the reconstruction procedure as in the SPIR protocol) . By definition 
of Ai, this block contains the answer given in the SPIR protocol to the query 
qi on database Fa^. Denote this answer by bi. 

V2 sends the reconstructed information b\, . . . ,bk (total of (i{N) bits) to V\ 
who can now also apply the reconstruction procedure of the SPIR protocol 
to construct the ai-th entry of Fa^', Vi sends this value to all other players. 
This, by definition, is exactly f (01,02), as needed. 

The communication complexity of the above protocol is bounded by the 
communication complexity of applying the SPIR protocol A: -I- 1 times. Once, 
initiated by Vi, on databases of length IV = 2” but repeated k times (hence its 

® In the general case where all players have inputs we simply add a preliminary step 
where each player Sij shares its input between 'Pi,'P 2 - Then, we proceed as in the 
case where only these two players have an input, where the input for each of Vi,V 2 
consists of its original input together with the shares received from other players 
^ If the SPIR protocol requires also communication among the servers then this is 
done in parallel to the described step. 

® SPIR (as well as PIR) is defined above to allow the retrieval of a single bit. However, 
both primitives have a standard extension that deals with the retrieval of “blocks” 
[11]: the user sends one set of queries and the servers answer them by considering the 
blocks in a bitwise manner. If the blocks are of length t then the query complexity 
of this solution, a(N), remains unchanged and the answer complexity, f3(N) grows 
by a factor of i. Since Ai consists of blocks of £ = j3(N) bits then this extension is 
needed here. 
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cost is 0{m{N))) and the others, initiated by V 2 , for k retrievals of f3{N)-hit 
blocks (hence its cost is 0{m{N) ■ The total communication complexity 

is therefore poly(m(-/V)), as needed. 

We turn to the 1-privacy of the protocol. Informally, we make the following 
observations: (1) player Vi has the same view as the user has in the first in- 
vocation of the SPIR protocol and hence from the e-data-privacy of the SPIR 
follows the e-privacy of the protocol for computing /, with respect to player Vi- 
(2) for each i G [k], player V 2 has the same view as the user has in a SPIR pro- 
tocol for constructing the block bi from Ai. Also note that bi, ... ,bk may give 
information on /(ai, 02 ) (and may even determine it completely); however, this 
information is legal since this is the output of the protocol (and nothing more). 
By the e-data-privacy of the SPIR it follows that the protocol for computing / 
is {k ■ e)-private with respect to player V 2 (which, again, is 0{e) as k is viewed as 
a constant). (3) each player Sij receives one query in each of two (independent) 
SPIR invocations; By the e-user-privacy of the SPIR protocol the view of such 
player in the multiparty protocol satisfies e-privacy. 

To conclude, we have established the following: 

Theorem 2. Let k > 2 be a constant. Assume that there exist a k-server one- 
round SPIR protocol which satisfies e-privacy, for some e > 0, and has commu- 
nication complexity m{N). Then, for every function f : ({0, 1}”)^ ^ {0, 1}, for 
k' = k‘^-\-2, there exists a multiparty {1, 0(e)) -private protocol with communica- 
tion complexity poly(m(2”)) and round complexity 0(1). 



Remark 4- Similar results can also be proved for t-private MPC with t > 1 by 
applying the player simulation technique of Hirt and Maurer [18]. More specif- 
ically, /c-party 1-private protocols can be composed with each other to obtain 
/c'-party -private protocols, for any k' > k. However, this approach can 

be efficiently applied in our setting only for a constant number of players k' . 
It follows that the existence of communication-efficient 1-private protocols for 
a constant number of players implies the existence of communication-efficient 
protocols with a linear privacy threshold, in the sense defined in Section 1.1. 
It is interesting to note that in all other contexts we are aware of, the case of 
t-privacy can be handled directly without going through intermediate protocols 
for non-threshold structures as in [18]. We are not aware of a more direct way to 
obtain t-private protocols in our case, and leave open the question of obtaining 
protocols with a linear privacy threshold whose communication complexity is 
polynomial in both the number of players and the input length. 



® In fact, a more careful examination of block retrieval shows that only the answer 
complexity grows to 0(/3^(A)) while the query complexity remains at 2 • a(N). 
Similarly, the analysis of the other invocations of the SPIR can also be optimized to 
take into account repeated messages etc. 
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5 Prom MPC to PIR 

In this section we show that if every fc-argument function / admits a 1-private, 
/c-party MPC protocol with communication complexity c(n), then there exists a 
/c-server PIR protocol with communication complexity c(log A^) -I- 0(log./V). 
This transformation is perfect in the sense that if the MPC protocols are perfect 
then so is the PIR. The PIR protocol works as follows: 

1. U picks at random a, b subject to a + b = i mod N (in other words a, b form 
an additive secret-sharing of i). It also picks random bits ri, r 2 . It sends a, r\ 
to server 5i and b,V 2 to server 52- 

2. The k servers execute the guaranteed MPC protocol for the function 

fx{{a,ri),{b,r2))‘^= Xa+b®ri®r2- 

The output is sent to hi who then masks it with r\ 0 r 2 to recover Xi. 

Clearly, the communication complexity is as promised. To argue the the user- 
privacy, observe that the input to the MPC protocol provides 1-privacy (since 
it is a 1-private secret sharing of z), the output of the MPC also maintains the 
privacy since it is masked by random bits (and each server knows at most one 
of the two masking bits) , and the last part in the view of each server is its view 
in the MPC protocol, which also maintains 1-privacy. It follows: 

Theorem 3. Let k > 3 be a constant. Assume that there exists a k-player (l,e)- 
private multiparty protocol for every function f : ({0, 1}”)^ ^ {0, 1} with com- 
munication complexity c{n) and round complexity d{n). Then, there exists e- 
PIR with communication complexity c{\ogN) 0 0{logN) and round complexity 
d{logN) + 1. 

We note that any family of multiparty protocols with a linear privacy thresh- 
old can be easily turned into a 1-private protocol with a constant number of 
players by using a standard player partitioning argument. 

6 Locally Decodable Codes Vs. PIR 

Locally decodable codes (LDCs) were introduced in [20] where their close con- 
nection with PIR was pointed out. In this section we rely on this connection; 
most of the material in this section can be derived from explicit and implicit 
statements in [20]. 

Recall the relevant parameters for a LDC. We are given a string x G {0, 1}'^ 
and encode it into a codeword y of length M{N) over an alphabet S. The 

Note that if the complexity of every function / can be bonnded by some polynomial 
c/(n), then there mnst be a nniform polynomial bound c(n) that is good for all 
functions /. Otherwise, for every n let /„ : ({0, 1}")*^ ^ {0, 1} be the “worst” 
function on n-bit inputs; the family of functions / = {/n}n has superpolynomial 
complexity. 
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code is a {k, S, e)-LDC if after suffering an adversarial corruption of 6 fraction 
of the symbols in the codeword y, it is still possible to reconstruct each bit Xi 
with probability at least 0.5 -I- e by reading only k symbols of the (corrupted) 
codeword. 

The first transformation (that follows from implicit statements in [20]) shows 
that given a (A:, (5, e)-LDC of length M{N) over alphabet E it is possible to 
construct 1-round fc-server PIR with perfect privacy; its query complexity is 
a{N) = 0{logM{N)), its answer complexity is P{N) = log 127] and its probabil- 
ity of success (i.e., the probability for correct reconstruction) is 0.5 -I- e^5/{2q). 
This probability of success can be amplified to 1 — 2““^ by repeating the protocol 
0{a) times. 

In the opposite direction (again, using implicit statements in [20]) there 
is a transformation that takes a 1-round, fc-server PIR protocol with success 
probability 0.5 -I- e and, for all (5 > 0, constructs {k,S,e/2 — A:i5)-LDC of length 
M{N) = 0{k ■ 2°‘^^'> /e) and alphabet E = {0, This already implies that 
a “standard” one-round PIR with polylog(A^) communication yields LDC with 
constant e, 6 and length and alphabet size which are both quasi-polynomial in 

N. 

We observe that a transformation similar to the one used to handle multi- 
round PIR protocols in Section 3 can be used to show that any multi-round PIR 
with query complexity a{N), answer complexity P{N) and success probability 

O. 5 -|- e can be transformed into a one-round PIR with similar communication 
complexity and success probability of 0.5 -I- e/2“('^^. Combining this observation 
with the transformation from one-round PIR to LDC, we get that if there exists 
a multi-round fc-server PIR protocol with polylog(A^) communication then there 
exist LDC with length and alphabet size which are both quasi-polynomial in N 
and S, e which are both l/quasi-poly(A'^). 

Remark 5. The above transformation from multi-round PIR to I-round PIR 
applies also in the case where the servers in the multi-round PIR are randomized. 
However, the servers in the resulting 1-round PIR will also be randomized, in 
which case the transformation from PIR to LDC does not directly apply. It 
is possible to get around this difficulty by letting the user pick the servers’ 
randomness and send it as part of its queries. Using Lemma 1, the amount of 
servers’ randomness can be guaranteed to be of the same order of magnitude as 
the communication. Hence, this derandomization does not significantly increase 
the communication complexity of the original protocol. 



7 Conclusions and Open Problems 

Our results show close connections among several open problems in information- 
theoretic cryptography. Some of the techniques used in proving these connections 

This is a non-adaptive version of the definition. An adaptive version can also be 
considered. 
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may be of independent interest. In particular, the technique used in transform- 
ing PIR to SPIR can be used to reduce the amount of randomness used by more 
general information-theoretic protocols. Moreover, our transformation from PIR 
to MPC can be applied to get an information-theoretic analogue of the commu- 
nication preserving secure protocol compiler from [24] . 

An interesting problem is to find an explicit construction of a set TZ, whose 
existence is proved in Lemma 1, assuming that the functions it tries to fool are 
efficient. This requires an extension of the Nisan-Wigderson type pseudo-random 
generators [26] to ones that fool non-Boolean circuits. Good explicit generators 
of this type seem necessary for randomness reduction in computationally- efficient 
information-theoretic protocols. 

Acknowledgements. We thanks Amos Beimel and Dieter van Melkebeek for 
helpful related discussions. 
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Abstract. Dining cryptographers networks (or DC-nets) are a privacy- 
preserving primitive devised by Chaum for anonymous message publica- 
tion. A very attractive feature of the basic DC-net is its non-interactivity. 
Snbsequent to key establishment, players may publish their messages in 
a single broadcast round, with no player-to-player communication. This 
feature is not possible in other privacy-preserving tools like mixnets. A 
drawback to DC-nets, however, is that malicious players can easily jam 
them, i.e., corrupt or block the transmission of messages from honest 
parties, and may do so without being traced. 

Several researchers have proposed valuable methods of detecting cheat- 
ing players in DC-nets. This is usually at the cost, however, of multiple 
broadcast rounds, even in the optimistic case, and often of high computa- 
tional and/or communications overhead, particularly for fault recovery. 
We present new DC-net constructions that simultaneously achieve non- 
interactivity and high-probability detection and identification of cheating 
players. Our proposals are quite efficient, imposing a basic cost that 
is linear in the number of participating players. Moreover, even in the 
case of cheating in our proposed system, just one additional broadcast 
round suffices for full fault recovery. Among other tools, our constructions 
employ bilinear maps, a recently popular cryptographic technique for 
reducing communication complexity. 



Keywords: anonymity, dining cryptographers, mix network, non-interactive, 
privacy. 

1 Introduction 

Anonymous message transmission is a fundamental privacy-preserving tool, both 
in the literature and in practice. Toward this aim, Chaum devised two seminal 
techniques: mixnets [10] and “dining-cryptographers” nets [11], also known as 
DC-nets. Mixnets have seen broad exploration in the literature, and serve as 
the basis for several fielded anonymity systems, e.g., [3,13,17,19]. (See [14] for 
a good bibliography.) DC-nets, by contrast, have remained relatively neglected. 
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apart from a small scattering of papers, e.g., [1,2,11,21,22]. One reason for this 
is perhaps that DC-nets, unlike mixnets, cannot operate by proxy; in particular, 
the players operating a DC-net must be identical with those providing input. 
In many real-world cases, however, this is not necessarily a serious drawback, 
as in the Crowds system [19], where participants provide mutual protection of 
privacy. Moreover, as formulated by Chaum for the case involving honest players, 
DC-nets have one very compelling feature unavailable in mixnets: 

In a basic DC-net, anonymous message transmission may be accomplished 

by players in a non-interactive manner, i.e., in a single broadcast round. 

Non-interactivity is of course very naturally attractive as a practical feature of 
system design. It also renders security definitions and proofs simpler than in the 
case of mixnets (for which formal definitions have been quite elusive) . 

There is a major drawback to DC-nets, however, and a large obstacle to their 
deployment: They are subject to straightforward jamming by malicious players. 
Such players can prevent the delivery of messages from honest participants, 
either by broadcasting invalid messages or even simply by dropping out of the 
protocol. Several valuable techniques have been proposed for addressing this 
problem, but to this point have had the limitation of requiring either unfeasibly 
intensive computation and/or multiple rounds of interaction among players. 

Our first contribution in this paper is a set of techniques permitting the 
identification of cheating players with very high probability, while retaining the 
property of non-interactivity. The resulting DC-net constructions are computa- 
tionally efficient: Assuming n players, they require each participant to perform 
a number of modular exponentiations that is linear in n during the broadcast 
phase. Any player, whether a participant or not, may perform a quadratic num- 
ber of exponentiations for verification of the output. Indeed, the computational 
costs of our constructions are comparable to those of the most efficient mixnets 
(assuming n players processing n inputs). Our DC-net proposals are therefore 
reasonable for small sets of, say, some dozens of players. 

Of equal importance, we propose techniques that permit recovery from lost or 
corrupted messages in a single, additional broadcast round, provided that there is 
a majority of honest players. Previous proposals have required multiple rounds 
for this purpose, or assumed a re-broadcast of messages. The computational 
costs for our recovery protocol are comparable to those for the basic message- 
transmission protocol. 

Although it is possible to detect cheating by a player in a non-interactive 
mix network, we maintain that under any reasonable set of security assump- 
tions, it is not possible for such a mix network to recover from failure (and thus 
from cheating) by even one player without an additional round of interaction. 
Our reasoning is as follows. Suppose that we could recover the inputs of all par- 
ticipating players regardless of who participated. Then if a given player Pi did 
participate, and furnished message rrii as input, an adversary could determine 
rui by taking the difference between the set M of all messages submitted and 
the set M' of all messages except that of Pi (the adversary would obtain M' by 
simulating the absence of Pi). 
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We describe two different DC-net constructions, which we characterize as 
short and long. In a short DC-net, the basic unit of message transmission is an 
algebraic group element. For such DC-nets, we propose techniques that detect 
cheating with overwhelming probability. A long DC-net, by contrast, permits 
efficient transmission of messages of arbitrary length essentially by means of a 
form of hybrid encryption. (It may be viewed as roughly analogous to a “hybrid” 
mixnet.) For long DC-nets, we describe techniques to detect cheating with high, 
but not overwhelming probability; an adversary in this case may feasibly perform 
some limited jamming of messages. 

In both constructions, we make use of bilinear maps, cryptographic tech- 
niques that have achieved much recently popularity as tools for reducing protocol 
interactivity [5]. In consequence, the security of our constructions is predicated 
on the Decisional Bilinear Diffie-Hellman assumption (DBDH) (see, e.g., [6]), as 
well as the random oracle assumption [4] . 

Organization In section 2, we explain the basic concepts of DC-net construc- 
tion, and describe previous results on the topic. We present our formal model 
and other preliminary material in section 3. In section 4, we describe our short 
DC-net construction, followed in section 5 by presentation of our long DC-net 
proposal. We conclude in section 6. In the paper appendix, we offer security 
definitions and proofs for the protocols presented in the body of the paper. 



2 Background 



The intuition behind DC-nets is best introduced with a simple two-player exam- 
ple. Suppose that Alice and Bob possess /c-bit messages rriA and niB respectively. 
They wish to publish these messages anonymously, that is, in such a way that 
an observer cannot determine which player published which message. Suppose 
further that Alice and Bob share /c-bit secret keys fcAs(O) and /cab( 1), as well 
as a secret, random bit b. Alice and Bob publish message pairs as follows: 



if b = 0: 



if b = 1: 



Alice: Ma,o = kAsiO) © ruA, Ma,i = fcAB(l) 

Bob: Mb,o = kAB{0), Mb,i = fcAs(l) © rus 



Alice: Ma,o = A:as(0), Ma,i = A;as(1) © w-a 

Bob: Mb,o = feAB(O) © ms, Mb,i ~ fcAs(l) 



An observer can compute Ma,o®Mb,o and Ma,i©Mb,i, yielding the (unordered) 
message pair {tua, niB)- The origin of these messages, however, remains uncon- 
ditionally private: Without knowing the secrets shared by Alice and Bob, the 
observer cannot determine which player published which message. Observe that 
this protocol is non-interactive, in the sense that once their secrets are estab- 
lished, Alice and Bob need not communicate directly with one another. 

This basic protocol may be extended to multiple players Pi, P 2 , . . . , Pn- Sup- 
pose that each pair of players {Pi,Pj) shares a set of keys kij{w) for i,j,w € 
{1, 2, . . . , n}, where kij{w) = kjg{w). 
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Each player Pi computes a vector of values as follows: 

w, = {W,{1) = ®]=ih^j{l),Wi{2) = ®J=ihj(2),...,W,in) = 

We refer to each message Wi{w) as a pad, and refer to each value kij{w) as a 
partial pad. Observe that 0”^iWi(w) = 0, i.e., the pads in a given position w 
cancel when XORed together. 

To broadcast messages in this scheme, each player Pi chooses a random posi- 
tion a and XORs her message rm with the pad Wi{ci) in Wi. This yields a new 
vector Vi = Vi{2) . . . Vi{n)} differing from Wi in the position d. Provided 

that all players have selected different positions d, the vector V = (i.e., 

the vector formed by XORing all messages in a given position), will consist of the 
set of messages posted by all players. Provided that keys and position selections 
{d} are secret, the privacy of messages, i.e., the hiding of their originators, is 
unconditional. 

As noted in Chaum’s original paper, shared secrets may be established non- 
interactively via Diffie-Hellman key exchange, yielding computationally secure 
privacy. 

A note on “collisions” : Even when all players are honest, a problem arises in 
multi-player DC-nets in the selection of message positions {d}- In particular, 
there is no good non-interactive means of enabling all players to select distinct 
message positions. Hence, with some probability, two (or more) players will at- 
tempt to transmit messages in the same slot. In other words, players Pi and 
Pj will select d = Cj, so that the message rrii 0 mj appears in the final vector 
V, rather than the individual messages. Some multi-round DC-net protocols ad- 
dress this problem via reservation procedure, whereby players request “slots” in 
advance. In all cases, however, DC-nets involve collisions, whether of messages 
themselves or reservation requests. (The problem can be avoided through tech- 
niques like secure multiparty computation of a secretly distributed permutation 
of slots among players, but this is impractical.) 

We do not treat the issue of collisions in this paper, but simply regard a DC- 
net as a primitive that provides only partial throughput, i.e., drops some fraction 
of messages. Better throughput may be achieved by high-layer protocols, e.g., 
protocol repetition, either serially or in parallel. 



2.1 Previous Work 

As already explained, a basic DC-net is subject to jamming by even a single 
dishonest player. Such a player Pi may simply set the vector to a series of 
random pads. This effectively jams the DC-net: All elements in the final output 
V will be random and thus no messages will be successfully delivered. Worse still, 
the very privacy guarantees of the DC-net render it impossible to trace the source 
of the jamming in this case. Alternatively, an attacker may corrupt messages by 
tampering with bits in a valid vector Vj. It is on this security problem that the 
literature on DC-nets mainly focuses. 
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In his original paper [11], Chaum proposes the detection of dishonest players 
via a system of “traps” in a multi-round protocol. Prior to message transmission, 
a reservation protocol takes place in which players reserve future message slots. 
At this time, each player commits to a declaration of “trap” or “non-trap” for her 
reserved slot. To jam the DC-net, a dishonest player must transmit a message in 
a slot she has not reserved. But if she tries to transmit a message in a slot that 
is a “trap,” then the attack may be detected during a decommitment phase. 

An important follow-up result is that of Waidner and Pfitzman [21], who 
identify a weakness in this original protocol, and show that an attacker can 
feasibly strip the anonymity of honest players. (Improved reservation techniques 
in [2] and [22] reduce this possibility to some extent.) They propose a multi- 
round solution to this problem, also based on the idea of setting “traps” during 
a reservation phase. Like Chaum’s protocol, theirs is only guaranteed to identify 
one dishonest player for a given “trap.” No obvious method for fault recovery 
is available, apart from re-broadcasting. That said, it should be noted that the 
goal of this work is a little different than ours. While these researchers have 
sought to achieve unconditional untraceability assuming only honest point-to- 
point communication, our aim is to achieve privacy under only computational 
hardness assumptions. 

Most recently, in [1], von Ahn, Bortz, and Hopper consider a constant-round 
anonymous-broadcast protocol that is essentially a DC-net variant (with an ini- 
tial partitioning of players into autonomous groups). They accomplish the dis- 
tribution of secrets for each protocol invocation via a secret-sharing protocol. In 
their scheme, the correctness of pads is proven via a cut-and-choose protocol. In 
the optimistic case, their protocol requires three broadcast rounds, and has O(n^) 
communications complexity (assuming a constant number of cut-and-choose in- 
vocations). In the presence of cheating players, the communications complexity 
rises to 0{n'^). 

One problem with these previous protocols is that the computational and 
communications costs of catching cheating players with overwhelming probabil- 
ity is very high, requiring either many “traps” or many cut-and-choose invo- 
cations. This may not be problematic in cases where players may be reliably 
identified and where cheating carries a high penalty. For Internet systems, how- 
ever, in which identities are not trustworthy, and participation in anonymous 
systems may be short-lived, even a small amount of cheating in the form of, e.g., 
tampering with messages, may be highly problematic. There is the risk that a 
savvy attacker may simply create false identities and then discard them when 
cheating is detected. 

Our work is similar to the approach of von Ahn et al. in that we employ 
cryptographic proofs of correctness rather than “traps” in order to detect cheat- 
ing. We employ a different strategy for pad computation, however, that has the 
benefit of more efficient proofs of correct pad computation. In particular, for 
our short DC-net proposal, in which players perform only a linear number of 
modular exponentiations (in n) on furnishing inputs, we show how to detect 
cheating with overwhelming probability. Another critical feature of our proposal 
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is, of course, its non-interactivity in the optimistic case. Additionally, even in 
the presence of faults, our protocols may be completed in just two broadcast 
rounds, and with O(n^) communications complexity. 

3 Preliminaries 

For the sake of simplicity, we assume throughout this paper the presence of a 
reliable broadcast channel. As is well known, such a channel may be simulated 
via Byzantine agreement in a network with reliable point-to-point delivery. (See 
[7] for recent results in this area.) Another possible instantiation would be a 
Web server that performs the function of receiving and publishing messages in 
an honest and reliable manner. (Our constructions may also be employed in the 
presence of an unreliable broadcast channel provided that a given message is seen 
either by all players or by none. In this case, a dropped message may be modelled 
as a faulty player.) We further assume that all messages are authenticated, i.e., 
securely bound to the identities of their originators. In practice, this may be 
accomplished via digital signatures. 

We define next the component functions of DC-nets. We denote the set of 
participants in the DC-net by P = Pi, P 2 , ■ ■ ■ , Pn- In what follows, when we 
specify a value as public or published, we assume it is transmitted to all players 
in P via an authenticated channel or entity. Setup is achieved by means of a 
parameter generation function paramgen and a key distribution function keydist. 
These functions are similar to those employed in standard discrete-log-based 
distributed cryptographic protocols. They are called once at the beginning to 
set up long-lived parameters shared by all players. A difference here, however, 
is that we employ admissible bilinear maps as a basic tool in our constructions, 
and must therefore make use of elliptic-curve based algebraic groups accordingly. 
We assume the appropriate background on the part of the reader, and refer to 
[5] for further details and notation. 

— Parameter generation: Taking security parameter I as input, the func- 
tion paramgen outputs a quintuple p = (p, Gi, G2, e, Q), where Gi and G2 
are two groups of order p, Q is a, generator of Gi and e : Gi x Gi ^ G2 is 
an admissible bilinear map [ 5 ]. We require furthermore that the Decisional 
Bilinear Diffie-Hellman (DBDH) assumption holds for e. Using the terminol- 
ogy of [ 5 ], the function paramgen is a parameter generator that satisfies the 
DBDH assumption. (For our “long” DC-net construction, we may weaken 
our hardness assumption to the Bilinear Diffie-Hellman problem (BDH), i.e., 
the computational variant, rather than the decisional one.) In practice, the 
map e may be instantiated with the Weil pairing over a suitable elliptic 
curve. The function paramgen may be executed by a trusted entity, which 
is our working assumption here. (Alternatively, it may be accompanied by 
a non-interactive proof of correct execution.) The quintuple p is published. 
We leave system parameters implicit in our notation where appropriate. 

~ Key generation: The function keydist takes as input the parameter spec- 
ification p. It yields for each player Pi a private key Xi €u '^p and a corre- 
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spending public key yi = Xi ■ Q. Each private key Xi is additionally shared 
among other players in a (fc, n)-threshold manner. In particular, let fi be 
a polynomial over Fp of degree k — 1 selected uniformly at random such 
that /i(0) = Xi- Player Pj G P receives from player Pi the private share 
Xi,j = fi{j), with a corresponding public share yij = Xij • Q. We assume 
that the function keygen is an algorithm executed by a trusted entity and a 
secure environment. (In practice, it may be instantiated by means of a dis- 
tributed protocol; see [16] for an example of such a protocol and a discussion 
of the underlying security guarantees.) 

We now describe the functions employed in the DC-net itself. We assume that 
players have access to a trustworthy global session counter s and specification 
IIs C P of players participating in the session s. Note that the privacy properties 
of our construction (defined in appendix A) do not rely upon publication of s or 
Us in a trustworthy manner, but the robustness does. 

Posting: (Pi, s,(Tj,s,i,s) ^ post(s,m*,a;i) ; [Us, {yjjjep]- 

The function post is invoked in session s by every player in 77^. It returns to each 
player a set of outputs that hides that player’s input, as well as auxiliary data 
that proves the correctness of the outputs. More precisely, the function post is 
a randomized function that takes as input the session counter s, a message 
and the private key Xi of player Pi. Inputs to the function also include the set 
of players Us participating in the sessions and all public keys. For visual clarity, 
we set off the latter parameters in square brackets. We define = \Us\ to be 
the number of participants in session s. The function post outputs: 

— An output vector Vi^s = (ki,s(l), . . . , P,s(7Ts)). Let us denote the vector 
of random pads used by player Pi as Wi^s = (kki,s(l), . . . , ITi,s(7Ts)) . The 
elements of the output vector and of the pad vector agree in all positions 
but one: the position Cj where message mi is xored with the pad. In other 
words ki,s(w) = Wi^s(w) for all w ^ Ci and V*,s(ci) = Wi 0 Wi,s(cj) 

— Subsidiary data ai^s- The value ai^s includes the identity of player Pi and a 
proof of valid formatting of the vector Vi^s- 

Verification: {0, 1} ^ verify((V, ct), s, i, TTs) ; [{yj}jap\- 

The function verify determines the correctness of the vector V output by a given 
player Pi. When V is deemed correct, verify outputs T’; otherwise it outputs ‘O’. 
This function can be called non-interactively by any player who wishes to verify 
the correctness of an output vector produced by another player. 

Message extraction: M ^ extract({V)'g}ig/ 7 , ; \{Vj}j&p\- 
Once all players in Tig have posted their output vectors, it should be possible 
for any entity to extract the messages input to the mix procedure. We denote 
by extract the function that accomplishes this. The outputs of extract is a set M 
of at most TTg distinct messages. 
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Pad reconstruction: Wi^s ^ i'econstmct(i, ITg, 

If a player Pi G Us fails to produce a correct output vector (or any output at 
all), a quorum of other players in Ug can reconstruct that missing output. We 
denote by reconstruct the function that accomplishes this. 

We denote by DC = {paramgen, keydist, post, verify, extract, reconstruct} the 
complete set of functions constituting a DC-net. 

4 Short DC-Net Protocol 

4.1 Intuition and Tools 

In our first construction, the basic message unit is an algebraic group element. 
We would like to enable players to prove correct behavior in this setting with 
overwhelming probability. This combination of features leads to two basic prob- 
lems: 

Problem 1: We would like any given player Pi to be able to compute a partial 
pad kij(w) with any other player Pj in a non-interactive way. In fact. Pi must 
be able to compute many such partial pads non-interactively, namely one partial 
pad for every value w. Additionally, Pi must be able to prove the correctness 
of any partial pad kij{w) (or more precisely, of any pad, which is composed of 
partial pads). 

The contradiction: Suppose that Pi computes partial pad kij{w) using a stan- 
dard D-H protocol employing her own secret key Xi and the public key yj of 
player Pj. (I.e., kij{w) = y^' ■) Since this computation is algebraic in form, Pi 
can efficiently prove statements in zero knowledge about ki^{w). On the other 
hand, it is only possible to perform this D-H computation once, and Pi needs to 
do so for many different values of w\ An alternative possibility is to hash yJ* with 
w to generate partial pad kij{w). In this case, though, there is no way to prove 
that ki^j(w) was correctly constructed with overwhelming probability without 
inefficient techniques like cut-and-choose or general secure function evaluation. 

The solution: It is in resolving this problem that bilinear mapping comes into 
play.^ It is possible to think of a bilinear map as a way of effecting a D-H 
exchange non-interactively across many different algebraic bases. In particular. 
Pi can compute the partial pad kij{w) = c{yj,XiQw) = e{Q,QyjY'^p where Qw 
is a randomly selected elliptic-curve point specific to w. We may thus think of 
Pi as performing a D-H exchange relative to a different algebraic base e(Q, Qw) 
for every different value of w. 

® There are other possible solutions to this problem without use of bilinear maps, e.g., 
changing keydist such that the sum Xi = Q mod q becomes a special condition on 
private keys. This, however, would mean that in practice the protocol could never 
be efficiently realized by having players generate their own key pairs. Also, this type 
of solution would not work for the long DC-net construction. 
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Problem 2: When a player Pi publishes a vector V of pads, she must prove 
its correctness. This means proving that every element of is a correct pad - 
except the one element modified to contain the message m-i that Pi wants to 
publish. The problem here is that Pi of course does not wish to reveal which 
element of V contains the message rriil 

The solution: For each pad position w in her published vector, player Pi commits 
to a bit byj. She lets = 0 if the element in position w represents a correct pad, 
and = 1 otherwise. Pi then proves two things: 

1. For every position w, either the pad is correct OR the bit 

2. The sum b^ = 1, i.e., the vector V contains at most one message. 

To prove both of these facts, we use standard techniques for non-interactive 
proofs regarding statements involving discrete logs. We do so over the groups 
Gi and G 2 ■ As explored in many papers, these techniques permit honest- verifier 
zero-knowledge proof of knowledge of discrete logs [20] , proof of equivalence of 
discrete logs [12], and first-order logical statements on such statements [9]. The 
proof protocols may be made non-interactive through use of the Fiat-Shamir 
heuristic [15]; they may be perfectly simulated with application of the random 
oracle model to the hash function used to generate challenges. We draw on 
the notation of Camenisch and Stadler [8] for a unified treatment and formal 
specification of these proofs in our detailed protocol. (E.g., PoK{x '■ e = /\f = 

h^} means a proof of knowledge that log^ e = log^ /, and is NIZK for our 
purposes.) 

4.2 Protocol Details 

Parameter and key generation. The function paramgen outputs the set of 
parameters p = (p, Gi, G 2 , e, Q). We also assume the existence of a hash func- 
tions h : {0,1}* ^ Gi that is publicly known. The function keydist(p) then 
outputs a secret key Xi G Zp for each player Pi . Recall that shares of this secret 
key are distributed to other players and that all public keys are published. 

Message posting. The pads Wi^s{k) for player Pi in session s are computed as 
follows. We compute the point Qk = /i(s]lfc) on Gi and let 

Wi,s{k)= n 

where 6ij = 1 if z < j and Sij = — 1 if j < z. Player Pi then chooses at random 
a value Ci G Us and multiplies the message mi G G 2 with pad Wz,s(ci) G G 2 to 
produce the output vector Vi^s- We turn now to the computation of the auxiliary 
verification data Uiy. 

1 . Let g and h be two fixed random generators in a group G of order q for which 
the discrete logarithm problem is hard. Player Pi chooses independently at 
random n values ri, . . . , r„ G Zg. For 1 < fc < n, where k yf Cj, Pi computes 
Wk = h^'" ■ Pi computes = gh'^^i . 
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2. The prover proves knowledge of log^((/ ^ nr=o PoK{r : nr=o = 

3. For 1 < k < TTs, Pi proves the following statement: 

(^i,s{k) = e(^yj,QkY' and P, knows log^(wfe)^ or ^P, knows log^(wfc/g) 

i.e., PoKja;, r : {Wi^s{k) = e{Il Vj^QkT A Wk = V {wk/g = /i'')}. 

The string ai^s consists of all the values computed in steps 1 and 2 above. 
Finally, the function post outputs (Vi_s, CTj^s, z, s). 

Verification. Anyone can verify non-interactively that the values computed in 
Ui^s are correct. 

Message extraction. Given the tTs vectors . . . , published by the 
players in TTg, anyone can non-interactively compute Vk = IlieTi ^i,s{k) for 
k G Us- Recall that the definition of the pads is such that IlieTTs ^i,s{k) = 1. 
We need now to introduce a notation for the subset of players who chose to 
publish their message in position k for a given k. For k G Ug, we denote 
c~^{k) = {i G Ug \ Ci = k}. Note that the subset c~^{k) could be empty, or 
contain a single or multiple players. Now it is clear that in every position k for 
which c~^{k) is a singleton {z}, we have rj = rrii. All other messages rrii for 
which c~^{ci) is not a singleton are unrecoverable in the output. The output of 
the function extract is the set of messages rrii which are recovered in the output. 

Pad reconstruction. If a subset of players V Q Ilg fail to publish their output 
vector, the remaining players can reconstruct the pads of missing players, and 
compute the output of the DC-net, as follows. Each player Pi for i ^ V publishes 
Xj^i ■ Qk for all j G V. Anyone can verify the correctness of these values by 
checking that e{QjXj,iQk) = e{yj,i,Qk)- Furthermore, these values enable any 
player to recompute the pads of missing player Pj since e{Qk, ViY^ can be derived 
from the values e{xj,iQk,yi) by polynomial interpolation. 

5 Long DC-Net Protocol 

5.1 Intuition and Tools 

In order to obtain a “stretched” pad of the desired length in our long DC-net, 
it is necessary to apply a PRNG to a secret seed K, i.e., to use symmetric-key 
techniques. In consequence, proofs based on the algebraic structure of pads are 
no longer possible, and there are no efficient techniques for effecting proofs with 
overwhelming probability. Our use of symmetric-key techniques thus engenders 
two basic problems: 




466 Philippe Golle and Ari duels 



Problem 1: We face the same basic problem as in the short DC-net: It is 
necessary to prove correct construction of vectors without revealing where the 
messages are positioned. But the use of symmetric-key primitives means that we 
cannot benefit from the same NIZK proof techniques as in the short DC-net. 

The solution: We resolve this problem by employing proof techniques that detect 
cheating players with high, but not overwhelming probability. In particular, we 
use a technique very similar to that of “randomized partial checking” [18] for 
mixnets. The idea is for a player Pi to prove correctness of her published vector V 
by generating a random challenge R non-interactively. This challenge R specifies 
a subset of half of the elements in the vector V. Pi reveals the underlying seeds 
for these as part of her proof. These seeds are derived essentially just like pads 
in the short DC-net. Thus, it is possible to provide a simple proof of correctness 
that may be non-interactively verified by other players. 

One problem, of course, is that if Pi transmits a message rrii, then with 
probability 1/2, the challenge R will lead to opening of the seed for the position 
containing that message. This problem may be resolved quite simply: Pi chooses 
challenges until she finds one that does not lead to opening of the seed for the 
message position. Some tens of attempts will permit this with overwhelming 
probability. 

Since only half of the seeds are revealed, some number of invalid pads can 
escape detection. In particular, for a given challenge, any seed will be revealed 
with probability 1/2. Hence, given u invalid pads, an adversary must perform 
work roughly 2" to compute a challenge R that does not reveal cheating. In 
practice, therefore, we would expect an adversarial player to be unable to insert 
more than, say, 80 invalid pads into a vector. Thus such a player can “jam” only 
a limited number of slots. Assuming large enough vectors and adversarial control 
of a small enough set of players, the throughput for the DC-net remains fairly 
high. 

Thus, our proof protocol is as follows. Let /i be a hash function from {0, 1}* 
to Z„ (modelled in our proof as a random oracle). 

1. The player chooses a random seed r and computes /i(C||r||l), ft,(y||r||2), . . . 
until all these values form a subset S C {1, . . . ,n} of size [S'] = n/2. Note 
that t yf j does not imply /i(C||r||t) yf ^(k^lkllj) so that more than n/2 
computations may be required to obtain the set S. 

2. If to G S, the set S is discarded. The prover returns to step I and chooses a 
new random seed. Step I is successful on average after 2 tries. 

3. Otherwise, the protocol outputs the random seed r and the set S. For all 
j G S, the protocol also outputs the secret key kj. 

4. The verifier verifies that the set S is correctly computed from randomness 
r. For all j G S, the verifier uses the key kj to verify the correctness of Vj. 

Problem 2: Since the seeds used to compute pads in our long DC-net assume 
the same form as those in the short DC-net, the reconstruction procedure is very 
similar. The only difference in the process is that once a seed is recovered, the 
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PRNG must be applied to obtain the corresponding pad. What we highlight, 
however, is that our use of bilinear maps is solving a fundamental problem in 
the long DC-net construction. 

In the short DC-net, honest players could, in principle, make do without using 
bilinear maps. Indeed, they can reconstruct a pad in a verifiable way without 
revealing any long term secrets, by exploiting the algebraic structure of pads. (As 
explained in the footnote above, it is possible in principle to have, for example, 
secret keys {xi\ that cancel, i.e., such that^^ Xi = 0 mod q, thereby engendering 
pads that “cancel.” Note that this results in a very cumbersome key setup.) In 
the case of long DC-nets, however, there is no good way to do this. Briefly stated, 
the application of the PRNC eliminates algebraic structure on the pads. 

The only way, therefore, to achieve “cancellation” of pads in a long DC-net, 
is for pairs of players to share secrets. But as already noted, in a standard setup 
without bilinear maps, it is possible for a pair of players (Pi,Pj) to establish 
a shared secret S non-interactively only once through application of D-H to 
their public keys. This secret S can be used to generate new secrets for multiple 
sessions through application of symmetric-key primitives, e.g., secrets may be 
generated as h{S, l),h{S, 2), — But without expensive general techniques, there 
is no way to reconstruct a given secret h{S,w) without revealing S itself and 
consequently compromising all shared secrets between Pi and Pj. 

The solution: This is where bilinear maps are helpful. As explained above, the 
intuition is that for a single pair of public keys, a bilinear map may be thought 
of as permitting non-interactive D-H key establishment across many different 
algebraic bases. Thus, each seed may be reconstructed individually by honest 
players holding shares of the private keys of Pi and Pj. Under the (Bilinear) 
Diffie-Hellman assumption, this may be accomplished without compromising 
the privacy of other seeds. (In algebraic terms, one seed might assume the form 
Si = while another assumes the form S 2 = Provided that gi and 

g 2 are random, knowledge of does not permit computation of S' 2 .) 



5.2 Protocol Details 

In this section, we define our long DC-net protocol and highlight the differences 
with the short DC-net. The main differences between the long and short schemes 
lie in the definition of the auxiliary data cJi^s and the verification algorithm. 

Parameter and key generation. This step is nearly identical to the short pro- 
tocol. The function paramgen outputs parameters p = {p, Gi, G 2 , e, Q). As in the 
short protocol, we use a hash functions h : {0, 1}* ^ Gi. We also assume the ex- 
istence of a publicly known pseudo-random number generator / : G 2 ^ {0, 1}^, 
where I is the length in bits of messages processed by the long DC-net. (For 
the purposes of our proofs, we model this as a random oracle.) The function 
keydist(p) distributes keys to all players. 
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Message posting. Recall that we define the point Qk = h{s\\k) on Gi. The 
pads Wi^s{k) for player Pi in session s are computed as follows: 

^i,s(k) = (Bjells-JiH fi^iQkjVj) *) 

Recall that player Pi then chooses at random a value c, G Us and XORs the 
message rrii with pad Wi^s{ci) to produce the output vector Vi^s- We turn now 
to the computation of the auxiliary verification data Ui^a'- 

1. Recall that the number of participants in session s is denoted •Kg- Let be a 
hash function from {0, 1}* to Using ip and a random value r, the player 
Pi computes a subset S C {1, . . . , tTs} of size tTs/ 2 such that Ci ^ S. 

2. For all j G S, Pi proves that the value Vi^s{j) is computed correctly by 
revealing XiQj. 

The string Ui^s consists of the values computed in steps 1 and 2 above. Fi- 
nally, the function post outputs i, s). 

Verification. Anyone can verify non-interactively that the values computed in 
Ui^s are correct. 

Message extraction. Given the tt^ vectors V\^s, ■ ■ ■ , published by the play- 
ers in ids, anyone can non-interactively compute Vk = ©iG/7sLi,s(^) for k G TIs- 
Recall that the definition of the pads is such that ©igTi, = 0. Using the 

same notations as in the short protocol, it is clear that = ©igc-i(fc) la 
other words, in every position k for which c~^{k) is a singleton {z}, we have 
Tj = rrii. All other messages rrii for which c~^{ci) is not a singleton are unrecov- 
erable in the output. The output of the function extract is the set of messages 
rui which are recovered in the output. 

Pad reconstruction. If a subset of players V Q Us fail to publish their output 
vector, the remaining players can reconstruct the pads of missing players, and 
compute the output of the DC-net, as follows. Each player Pi for i ^ P publishes 
Xjp ■ Qk for all j G V. Anyone can verify the correctness of these values by 
checking that e{Q,XjpQk) = e(jjjp,Qk)- Furthermore, these values enable any 
player to recompute the seeds of missing player Pj since the value e{Qk,yiY^ 
can be computed from the values Y^j,iQk,yi) by polynomial interpolation. The 
pads themselves may then be computed through application of /. 

6 Conclusion 

We have proposed two new DC-net constructions. Unlike previous DC-net pro- 
posals, our constructions allow for efficient detection and identification of cheat- 
ing players with high probability. When cheating is detected, a single additional 
broadcast round enables full fault recovery. Our DC-net protocols are thus re- 
silient to the jamming attacks that negated the simplicity and non-interactivity 
of earlier DC-net proposals. 
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In the appendix, we define a formal model in which we prove the privacy 
and correctness of our constructions. We observe that our comparatively simple 
definitions and proofs are made possible by the non-interactivity of DC-nets. 
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A Security Definitions 

A.l Privacy 

We consider a static adversary A capable of actively corrupting a set Pyi of fewer 
than n/2 players in P. We regard a mix network DC as private if A is unable to 
determine the origin of any message input by an honest player with probability 
significantly better than a random guess. We capture this concept by way of an 
experiment in which A selects just two honest players po and p\ as targets. The 
adversary may also choose a pair of plaintexts (mo, mi) to serve as inputs for 
these two target players. The plaintexts are randomly assigned to po and pi; the 
task of A is to guess this assignment. 

We let postj(-, •, •) denote an oracle that posts a message on behalf of player 
Pi. The adversary may specify s, m and TJ^. The oracle is assumed to have access 
to the private keys of Pi. The adversary may not invoke a given oracle twice on 
the same session identifier s. (In a real-world protocol, this restriction is easily 
enforced through use of a local counter.) 

The oracle postj(-,-,-) also produces auxiliary data ai^s- A small difficulty 
arises in the long protocol, where cji^s reveals half the pads of player Pi. If the 
pads of all honest players are revealed in the positions where po and pi posted 
mo and mi, then A can trivially determine which player posted which message. 
This happens with low probability if the number of honest players is large. In 
our privacy experiment, we assume that the auxiliary data does not reveal the 
pads used by po and pi in the positions where they posted mo and mi . 

The oracle post*(-, •, •, •) is a special oracle call that causes the two tar- 
geted players to post the chosen messages (mo, mi). In particular, this or- 
acle call is equivalent to two successive oracle calls: postp^^ (m^, s, iTg, •) and 
postp^(mi_h,s, ils,-): where po,pi G 

We let reconstruct! (•, •) denote an oracle that returns the reconstructed pad of 
player Pi . The adversary may specify the session s and iTg . The oracle is assumed 
to have access to the private key held by Pi. The oracle reconstruct! may be called 
by A at any point during the experiment, with the following restriction: A may 
not call reconstructpo or reconstructp^ for the session s in which A chose to call 
the special oracle post* . This restriction is natural: it simply states that A is not 
allowed to ask for the pads of players po and pi in the session in which it must 
guess the assignment of messages mo, mi to po,Pi. 

We let Gr/ denote uniform, random selection from a set. Security parameters 
are left implicit. 
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Experiment Exp^’’™(DC); [k,n,l] 
paramgen(l); keydist; 

Pa ^ A{{PKi})- 

(mo, mi, po, Pi) ^ ^{P“ti(',',', )}ieP-P^,'-econstructd-, ). 

b €u {0, 1}; 

5' ^ yt{posti(-,-,-,-)}ieP_p^,reconstructi(-,-),post*(-,-,-,-). 

lib' = b output ‘1’ else output ‘O’; 

We define the advantage of A in this experiment as 

Adv(((’“(DC); [k,n,l] = pr[Exp(((’™(DC); [k,n,l] = ‘1’] — 1/2 . 

We say that our scheme is private if this advantage is negligible for all adversaries 
A with polynomial running time (where the quantities are defined asymptotically 
with respect to I in the usual manner) . The following propositions show that our 
short and long DC-nets are private. (The proofs are in appendix B.) 

Proposition 1. The short DC-net protocol of section / is private if the Deci- 
sional Bilinear Diffie- Heilman (DBDH) problem is hard in the group Gi. 



Proposition 2. The long DC-net protocol of section 5 is private if the Bilinear 
Diffie- Heilman (BDH) problem is hard in the group Gi. 

Remark: the non-interactivity of the mix network DC makes possible this rela- 
tively simple definition of privacy. In a mix network involving interaction among 
players, an adversary can change the behavior of honest players by inducing er- 
rors or failures in the outputs of corrupted players. The resulting broad scope of 
adversarial behavior induces considerably more complex privacy definitions. 

A. 2 Correctness 

We define correctness in terms of the ability of a corrupted player Pi to post 
a vector V that has an invalid format, but is accepted by the function verify. 
Invalid formatting may mean that V includes incorrectly computed pads or, 
alternatively, that V contains an inadmissibly large number of messages. More 
formally, we deem a vector V as correct if it constitutes a valid output of post 
for the private key of the correct player. (Other definitions are possible.) We use 
the triangular brackets ‘( )’ to denote the set of possible function outputs. 

Experiment Exp“'^’^(DC); [A:,n, 1] 
paramgen(l); keydist; 

Pa ^ A{{PKi})- ((E, a, z, s), 7T,) ^ A; 
if (E, cr, z, s) ^ (post(s,m, a;*); [ns,{yj}jap]) for any m and 
verify((E, cr),s,z,i7s); [{z/j}jep] = ‘1’ then output ‘1’; 
else output ‘O’; 
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We define the advantage of A in this experiment as Adv^’’™(DC); [A:, n, ?] = 
pr[Exp“'’’’(DC); [k, n, 1 ] = ‘ 1 ’]. We regard our scheme as providing correctness if 
for all adversaries A with polynomial running time, this advantage is negligible. 

Proposition 3. The short DC-net protocol of section 4 is correct. 

Proposition 4. The long DC-net protocol of section 5 satisfies a weaker prop- 
erty. If an adversary submits an output in which k pads out of n are incorrectly 
computed, the probability that verify accepts this output is 2“^. 

B Proofs of Privacy 

Proposition 1. The short DC-net protocol of section 4 is private if the Deci- 
sional Bilinear Diffie- Heilman (DBDH) problem is hard in the group G\. 

Proof. Let A be a polynomial-time adversary who wins Exp^^*’^(DC) with non- 
negligible advantage e. We use A to solve DBDH challenges with non-negligible 
advantage as follows. We first call paramgen(^) to get parameters {p, Gi, G2, e, Q) 
where Gi and G2 are groups of order p, Q is a, generator of Gi and e : Gi x Gi ^ 
G2 is an admissible bilinear map. Let (aQ, bQ, cQ, dQ) be a DBDH challenge in 
Gi (the challenge is to determine whether d = abc or d is random) . 

We give A the output of paramgen(Z). Next we simulate keydist for A. We 
let the public keys of two players (say P\ and P 2 ) be yi = aQ and j/2 = bQ. 
For every other player, we choose a private key Xi €u Zp and compute the 
corresponding public key yi = Xi • Q. Given all these public keys, A returns the 
set P_A of players it controls. If Pi G P_a or P 2 G Pa, we abort. Otherwise, we 
give A the private keys of all the players in Pa. We also give A the shares of the 
private keys held by all the players in P4. For the private key of player Pi and 
P 2 , which we do not know, we generate random shares. 

A can then call the oracle postj(-, •,•,•) any number of times for i G P — Pa- 
For all but one session for which A calls post, we let /i(s||fc) = Vs,kQ, where 
the values rg,k Gu ’^p- For one session sq, we define h{so\\k) differently. We 
choose 2 “special” positions ko,ki Gu { 1 , ■ • ■ , as well as R Gu ’^p- We define 
/i(so||A:o) = cQ, /i(so||fci) = RcQ and for k ^ {ko,ki}, we let /i(so||A:) = VsoaQ 
for values rg^.k chosen at random in Zp. 

To simulate postj(-, •, •, •) for A in session s, we need the pads Wi^s{k) = 
, where Qk = Ai(s||A:). For all session s yf sq, we have 
Qk = h{s\\k) = rs,kQ and therefore we can compute the pad Wi^s{k) for all 
players Pi (even for Pi,P2) using the equality e{Qk,yjY' = ■ For 

session sq, we can compute the pads of all players except Pi and P 2 whose 
private key we do not know. If A calls post for Pi or P 2 in session sq, we abort. 

Note that knowledge of the pads also enables us to simulate the auxiliary data 
Ui^s in both the short and the long protocol, as well as the oracle reconstruct. 

A then chooses two messages mu, mi to be posted by two players po,pi of 
the adversary’s choice. If {po,pi) Y (^’1,^2), we abort the simulation. A may 
again call postj and we simulate that oracle as before. 
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Finally, A calls post* for a particular session. If that session is not sg, we 
abort. Otherwise, we simulate post* as follows. For Pi, we define the pads: 

Wi,,Jko) = e(Q,dQf^-^ n 

3<j<n 

Wi,so{ki) = e{Q,dQY^’^ n 

3<j<n 

Wi,so(k)= l[ for fc^{A:o,fci} 

2<j<n 

We define the pads for P2 similarly. We choose a bit b at random and let Pi post 
mb in position ki and P2 post mi-t in position ^2- We simulate the corresponding 
NIZK proofs for the auxiliary data using standard techniques by allowing the 
simulator to set random oracle responses before making commitments. 

A outputs a guess b'. If b' = b, we guess that {aQ , bQ 7 cQ , dQ) is a DBDH 
tuple, and otherwise that it is not. It remains to show that our guess is correct 
with non-negligible advantage: 

~ When d = abc, by definition of A, we have b' = b with advantage e. 

— When d yf abc, our simulation of the pads Wi^sg {ko),W\^so {ki), kF 2 ,so {kg) and 
kF 2 ,so(^i) incorrect. There is consequently no way for A to distinguish 
between respective partial pads for Pi and P2 of the form (Vi, V2) = {Rand® 
mi, Rand) and (Ri,V2) = {Rand, Rand ® m2), because they are identically 
distributed (here, Rand denotes random values). In other words, A can’t 
possibly guess the bit b with non-negligible advantage. 

This shows that when the simulation does not abort, A solves DBDH challenges 
with advantage e/ 2 . The probability that the simulation does not abort is greater 
than a value that is polynomial in the security parameter. Overall, we have used 
A to solve DBDH challenges with non-negligible advantage. □ 

Proposition 2. The long DC-net protocol of section 5 is private if the Bilinear 
Diffie- Heilman (BDH) problem is hard in the group Gi. 

Proof. The proof is similar to that of Proposition 1 . Let „4 be a polynomial- 
time adversary who wins Exp()/*“(DC) with non-negligible advantage e and let 
(aQ,bQ,cQ) be a BDH challenge (the challenge is to compute dQ, where d = 
abc). We embed the BDH challenge as before. The difference worth noting is 
that the output of the bilinear function, in the long protocol, is expanded with a 
PRNG /. We model / as a random oracle. There are two possible distributions 
for the simulator: distribution D, where the simulator calls f{dQ) (for the correct 
BDH value d), and distribution D, where the simulator uses a random value. A 
cannot distinguish between D and D unless it calls / on input dQ. 

If A cannot distinguish D from D' , it cannot distinguish a real-world protocol 
invocation from one in which random pads are used and therefore cannot learn 
anything about which player posted which message. A then must be able to dis- 
tinguish D from D' and so must call the random oracle on input dQ occasionally. 
We answer the BDH challenge with one of ^’s calls to the random oracle and 
win with non-negligible probability since A is polynomially bounded. □ 
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Abstract. Algebraic attacks on LFSR- based stream ciphers recover the 
secret key by solving an overdefined system of multivariate algebraic 
eqnations. They exploit multivariate relations involving key bits and out- 
put bits and become very efficient if such relations of low degrees may 
be found. Low degree relations have been shown to exist for several well 
known constructions of stream ciphers immune to all previously known 
attacks. Such relations may be derived by multiplying the output func- 
tion of a stream cipher by a well chosen low degree function such that the 
product function is again of low degree. In view of algebraic attacks, low 
degree multiples of Boolean functions are a basic concern in the design 
of stream ciphers as well as of block ciphers. 

This paper investigates the existence of low degree multiples of Boolean 
functions in several directions: The known scenarios under which low 
degree multiples exist are reduced and simplified to two scenarios, that 
are treated differently in algebraic attacks. A new algorithm is proposed 
that allows to successfully decide whether a Boolean function has low 
degree multiples. This represents a significant step towards provable se- 
curity against algebraic attacks. Furthermore, it is shown that a recently 
introduced class of degree optimized Maiorana-McFarland functions im- 
manently has low degree multiples. Finally, the probability that a random 
Boolean function has a low degree multiple is estimated. 



Keywords : Algebraic attacks, Stream ciphers, Boolean functions. Algebraic 
degree, Annihilator, Low degree multiple. Resiliency. 

1 Introduction 

Algebraic attacks on stream ciphers based on linear feedback shift registers 
(LFSR’s) have been proposed in [8]. Many stream ciphers consist of a linear 
part, producing a sequence with a large period, usually composed of one or sev- 
eral LFSR’s, and a nonlinear combining function / that produces the output, 
given the state of the linear part. Algebraic attacks recover the secret key by 
solving an overdefined system of multivariate algebraic equations. These attacks 
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exploit multivariate relations involving key/state bits and output bits of /. If 
one such relation is found that is of low degree in the key/state bits, algebraic 
attacks are very efficient, [6]. 

In [8] it is demonstrated that low degree relations and thus successful alge- 
braic attacks exist for several well known constructions of stream ciphers that 
are immune to all previously known attacks. In particular, low degree relations 
are proven to exist for ciphers using a combining function / with a small num- 
ber of inputs. These low degree relations are obtained by producing low degree 
polynomial multiples of /, i.e., by multiplying the Boolean function / by a well 
chosen low degree function g such that the product function f * g is again of low 
degree. 

There have become known alternative methods to attack stream ciphers by 
solving overdefined systems of equations using Grobner bases, [11]. In order to 
be efficient, these methods rest on the existence of low degree multiples as well. 

To counter algebraic attacks, it is recommended in [8], that the combining 
function / should have at least 32 inputs. But even then, by now it cannot be 
excluded for certain, that / has low degree multiples that would then make a 
fielded or a new design vulnerable to algebraic attacks. This is in strong contrast 
to other attacks on stream ciphers: A variety of proposed stream ciphers have 
been shown to be provably resistant, e.g., against the Berlekamp-Massey shift 
register synthesis algorithm. 

In a different direction, in view of algebraic attacks on block ciphers, [7], it 
may be desirable to know for certain, e.g., that there are no low degree equations, 
relating output bits of a (reduced round) block cipher, plaintext bits and key 
bits. We mention also that recently the framework of algebraic attacks has been 
extended to combiners with memory [6, 1]. 

As a consequence, investigation of Boolean functions with regard to existence 
of low degree multiples is of both, theoretical and practical interest. 

The results of this paper contribute to this problem in four directions: We 
reduce and simplify the scenarios found in [8], under which low degree multiples 
may exist. As a significant step towards provable resistance against algebraic 
attacks we propose an algorithm that allows to successfully decide whether a 
Boolean function has low degree multiples. This new algorithm can be efficient 
for input sizes of / of 32 bits or larger. Furthermore, we show that for a recently 
proposed class of Boolean functions, the degree optimized Maiorana-McFarland 
class [18], relatively low degree multiples are immanent. Finally we derive upper 
bounds on the probability that a random Boolean function has a low degree 
multiple. This is partly done by using results from coding theory. These bounds 
are shown to give strong estimates for input sizes of practical interest. 

To further explain some of our results, recall that the main cryptographic cri- 
teria for Boolean functions / used for stream cipher applications had previously 
been a high algebraic degree, to counter linear synthesis by Berlekamp-Massey 
algorithm, some order of correlation immunity (resiliency), and large distance 
to affine functions (high nonlinearity), to withstand different types of correla- 
tion and linear attacks [17, 13, 3]. There are some known tradeoffs between the 
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criteria, e.g., there is the bound by Siegenthaler [19], that the algebraic degree 
of / is upper bounded by n — t — 1, where n is the number of inputs of / and 
t < n — 1 is its order of resiliency. 

The more recent algebraic attacks impose a new restriction on the combining 
function / chosen: / shouldn’t have low degree multiples. In [8], essentially three 
different scenarios are described which lead to low degree multiples of a Boolean 
function which can be exploited in algebraic attacks. We show that these sce- 
narios can be reduced to two, to be treated differently in algebraic attacks. This 
simplified description of scenarios leads to a precise measure of algebraic im- 
munity of a Boolean function /: The algebraic immunity AI{f) is the minimum 
value of d such that f or /-|-1 admits an annihilating function of degree d. Recall 
that an annihilator of / is a non-zero function g such that f * g = 0. 

The new criterion that / shouldn’t have a low algebraic immunity, may be 
in conflict with some established criteria. This is exemplified for the Maiorana- 
McFarland class. These functions can have high resiliency, high nonlinearity, and 
optimum algebraic degree [10, 2, 4, 18]. Nevertheless it is shown in this paper 
that such functions can have relatively low algebraic immunity (Example 1). 
This is done by deriving a useful representation for the complete set of annihila- 
tors for a given function /. Any annihilator can be viewed as a concatenation of 
annihilators from some smaller variable space. This method when applied to a 
function in the standard Maiorana-McFarland class [10, 2] only yields annihila- 
tors of degree larger than the degree of the function itself. However, this method 
may be successfully applied to the degree optimized Maiorana-McFarland class 
[18], showing that relatively low degree annihilators are immanent for this class. 

In the design of stream ciphers, this property needs to be avoided. There- 
fore, it is desirable to have an efficient algorithm for deciding whether a given 
Boolean function has no low degree annihilator. Such an algorithm is derived in 
this paper (Algorithm 2). A refined version allows to decide whether a Boolean 
function with n inputs has no annihilator of degree d at most 5, in about 
operations, which e.g. for n = 32 is certainly feasible. If for a stream cipher a 
degree d annihilator with d = A (say) of its combining function / (or / -|- 1) is 
found by our algorithm, we can break this cipher. On the other hand, if / and 
f + I are shown to have no annihilator of degree d < 5, this cipher has some 
amount of immunity against algebraic attacks, as for d = 6 and for a size of 
the initial state of 128 bits, the computational complexity of the basic algebraic 
attack in [8] is already about 2®®. 

The paper is organized as follows. In Section 2 the basic definitions and notions 
regarding Boolean functions are introduced. Section 3 recalls and simplifies the 
various scenarios of algebraic attacks. Algebraic properties of annihilators for 
an arbitrary function / are addressed in Section 4, where an alternative repre- 
sentation of annihilators is given which is useful for the analysis of some well 
known classes of Boolean functions. Section 5 deals with the fundamental prob- 
lem of efficiently deciding whether the combining function in a stream cipher 
has annihilators of low degrees. In Section 6 we estimate an upper bound on the 
probability that a random function has annihilators of certain degree. 
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2 Preliminaries 

A Boolean function on n variables may be viewed as a mapping from {0, 1}” 
into {0, 1}. A Boolean function f{x\, . . . ,Xn) is also interpreted as the output 
column of its truth table f, i.e., a binary string of length 2", 

7= [/(0,0,--- ,0),/(l,0,--- ,0),/(0,l,--- ,0),.. .,/(!, l,--- ,1)]. 

The Hamming distance between n-variable functions f,g, denoted by d{f,g), 
is 

d{f, g) = #{a; G ^2 I fix) + 5 (a;)}. 

Also the Hamming weight or simply the weight of / is the number of ones in 
/. This is denoted by wt{f). An n-variable function / is said to be balanced if 
its output column in the truth table contains equal number of O’s and I’s (i.e., 
wt{f) = 2"-i). 

The Galois field of order 2” will be denoted by F 2 »» and the corresponding 
vector space by F 2 . Addition operator over F 2 is denoted by 0, and if no con- 
fusion is to arise we use the usual addition operator 0 . An n-variable Boolean 
function f{xi, . . . ,x„) can be considered to be a multivariate polynomial over 
F 2 . This polynomial can be expressed as a sum of products representation of 
all distinct r-th order products (0 < r < n) of the variables. More precisely, 
f{xi , . . . , Xn) can be written as 

/(a;i, . . . ,x„) = ^ A„ , A„ G F 2 , u = (ui, . . . , n„). (1) 

uG '^2 \ i — 1 / 

This representation of / is called the algebraic normal form (ANF) of /. The 
algebraic degree of /, denoted by deg{f) or sometimes simply d, is the maximal 
value of the Hamming weight of u such that A„ yf 0. There is a one-to-one 
correspondence between the truth table and the ANF via so called inversion 
formulae. The set of x values for which f{x) = 1 respectively f{x) = 0 is called 
the on-set respectively the off-set, denoted by Si{f) and So{f). The ANF of / 
is fully specified by its on-set using the following expansion, 

f{xi,...,Xn)= ^ + + ^) ) ’ T= (ri,...,r„). (2) 

r&Siif) Vi=l / 

The set of all Boolean functions in n variables is denoted by 7^„. For any 
0 < 6 < n an n-variable function is called non degenerate on b variables if its 
ANF contains exactly b distinct input variables. Functions of degree at most one 
are called affine functions. An affine function with constant term equal to zero 
is called a linear function. The set of all n-variable affine (respectively linear) 
functions is denoted by An (respectively £„). The concatenation, denoted by "\\" 
simply means that the truth tables of the functions are merged. For instance, 
for /i ,/2 G IZn-i one may construct / = / 1 H /2 (where / G TZn), meaning that 
the upper half part of the truth table of / correspond to fi and the lower part 
to / 2 . The ANF of / is then given by /(xi, . . . ,Xn) = (l + Xn)/i(xi, . . . ,Xn-i) + 

^n /2 (^1 7 ■ ■ ■ 5 ^n—l ) ■ 




478 



Willi Meier, Enes Pasalic, and Claude Carlet 



3 Algebraic Attacks: Scenarios Revisited 

In [8], three different scenarios (S3a, S3b, S3c) are described under which low 
degree relations (that hold with probability 1) may exist and how they can be 
exploited in algebraic attacks. The aim of this section is to show that these can 
be reduced to essentially two scenarios, and to clarify how to use them in an 
attack. 

To recall the scenarios in [8], let the Boolean function / have high degree. 

S3a Assume that there exists a function g of low degree such that the product 
function is of low degree, i.e., f * g = h, where /i is a nonzero function of 
low degree. 

S3b Assume there exists a function g of low degree such that f * g = 0. 

S3c Assume there exists a function g of high degree such that f * g = h where 
h is nonzero and of low degree. 

Consider scenario S3c. Then f*g = h^Q. Multiply this equation by /. As /^ = / 
does hold over F 2 , we get f‘^*g=f*h = f*g = h. Hence f*h = h.Ashisoi low 
degree, we are in scenario S3a. Therefore, scenario S3c is redundant. Further, 
one might consider another scenario (not contained in [8]): Factorizations of the 
form f = g * h, where g and/or h are of low degree. However, g * (1 + g) = 0 
over F 2 . Hence by multiplying / = (/ * /i by 1 + g, we get / * (1 + g) =0, i.e., we 
are back in scenario S3b. These considerations suggest that in algebraic attacks 
one can always restrict to scenarios S3a and S3b. There is an interesting relation 
between the two: 



Proposition 1 Assume that f * g = h ^ 0, does hold for some functions g and 
h of degrees at most d (scenario S3a). Suppose in addition that g ^ h. Then 
there is a function g of degree at most d such that f * g' = 0 (scenario S3h). 

Proof. As above, we have f^*g = f*g = f^h=h. Hence f * {g + h) = 0. Q 

The argument just given shows that we can reduce ourselves to scenario S3a in 
case where g = h, and scenario S3b. However, S3a with g = h is equivalent to 
scenario S3b for the function / + 1. 

The existence of algebraic attacks will impose that neither / nor / + 1 does 
admit an annihilating function of low degree. This motivates the notion “alge- 
braic immunity” of /, denoted by AI(f), which is the minimum value of d such 
that / or / -|- 1 admits an annihilating function of degree d. 

In [8], low degree relations according to scenarios S3a or S3b are proven to 
exist for any Boolean function / with a small number of inputs: 

Theorem 6.0.1 [8, 9] Let f be any Boolean function with n inputs. Then there 
is a Boolean function g 0 of degree at most \n/2\ such that f * g is of degree 
at most \n/2 \ . 
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Remark 1 Without restricting the form of the function, the upper hound given 
above cannot he improved for the case of annihilators, i.e. f * g = 0. For instance 
one example of a function not admitting annihilators of degree lower than n/2 
is given in [11]. Namely the function in 6 variables, denoted there CanFil 8, has 
annihilators of degree d>3 only. Moreover, [9, Table H] gives experimental evi- 
dence that a random function with 10 variables is not likely to have an annhilator 
of degree lower than 5. 

To exploit low degree relations as in scenarios S3a and S3b, assume that Nd 
linearly independent functions h with f * g = h have been found, where h and 
g have low degree d. Similarly, assume that linearly independent functions g 
of low degree d have been found such that f * g = 0. 

In an algebraic attack on an LFSR-based stream cipher, it is assumed that 
the feedback connections are known. Let (sq, ..., Sfe-i) be the initial state of the 
driving LFSR’s. Then the output of the cipher is given by: 



{ bo = f{so,...,Sk-i) 

h = f{L{so,...,Sk-i)) 

b2 = /(L^(so, ...Sfe_i)) 



Here L denotes the linear update function to the next state of the LFSR’s 
involved. The problem is to recover the /c-bit key (sq, ..., Sfe-i). Let x equal 
F (sq , ■ ■■ , Sk — 1 ) . 

If the output bit bi = 1, we use scenario S3b, i.e., f * g = 0, and get an 
equation g{x) = 0. Alternatively, we can use scenario S3a, f * g = h, and take 
g{x) = h{x). However, either g = h, which gives nothing, or g ^ h, which gives 
g h = 0, i.e. we are back in scenario S3b. 

If bi = 0, use scenario S3a: h{x^ = 0. Hence for any known output bit bi we 
get Nd equations, if 6^ = 0, and equations, if 6^ = 1. 

If we get at least one such equation for each of sufficiently many output bits, 
we obtain a very overdefined system of multivariate equations of low degree d, 
that can be solved efficiently: There are about T « monomials of degree at 
most d in the k variables Si, i = 0, . . . , k — 1 (assuming d <C n/2). Consider each 
of these monomials as a new variable Vj. Given R > (/[[) equations, we get a 
system of i? > T linear equations in the V, ’s that can be solved by Gaussian 
elimination. If more than one equation holds per output bit, the output stream 
needed reduces accordingly. 



4 Properties of the Annihilator Set 

As set out in the introductory part, in the realm of algebraic attacks there is one 
major concern: Given a Boolean function / used in a stream cipher, the task is 
to determine whether this function has low algebraic immunity, i.e., whether / 
or / + 1 has a low degree annihilator. In this section we specify the structure of 
the set of annihilators for a given /, and also give an alternative representation 
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of their ANF. Let An{f) = {g \ f * g = 0} denotes the annihilator set for the 
function / in the Boolean ring = F 2 [a;i, . . . , x„]//, I being an ideal generated 
by the polynomials xf — Xi, i = 1, . . . ,n. Since in this ring /(I + /) = 0 for any 
/ G TZn the set An{f) is nonempty. 

Theorem 1. Let f be any Boolean function in TZn- Then An{f) is a principal 
ideal in TZn generated by (1 + /), i.e. An{f) = {(1 + f)r \ r G TZn} =< 1 + / >• 
Its cardinality equals to \An{f)\ = 2^ -l‘5i(/)l. In particular when f is balanced 
\An{f)\ = 2^"-\ 

Proof. In order to show that An{f) is a principal ideal in the Boolean ring TZn 
generated by (1 + /), we prove firstly that An{f) is a subring of TZn, then an 
ideal which is principal. 

To prove that An{f) is a subring of TZn it is enough to demonstrate that 
An{f) is closed under the operations '+' and Clearly An{f) is nonempty 
since (1 + /) G An{f). Let g,h € An{f). Then / *(g + /i) = /*g + /*/i = 0, 
and f * {g * h) = {f * g) * h = 0. Hence An{f) is closed under '+' and and 
therefore a subring of TZn ■ 

Obviously for any r G TZn, g G An{f), we have r * g € An{f). Thus An{f) 
is an ideal. Let us prove that An{f) is a principal ideal. For if h G An{f) and 
h 1 + / >, then f * h = 0 implying h * {1 + f) = h, so h G< 1 + / >. 

Next we prove the assertion on the cardinality of An{f). Note that the con- 
dition f{x) * g{x) = 0 implies that 

f{x) = 1 ^ g{x) = 0 Vx G F 2 . 

Then at any position r G F 2 for which /(t) = 0, g{r) may be selected arbi- 
trary, i.e. there are possibilities for g. Hence \An{f)\ = In 

particular if / is balanced then |An(/)| = 2^" \ □ 



Henceforth we restrict our discussion to balanced functions having much wider 
cryptographic applications (at least in the case of stream ciphers). For a balanced 
function / the quotient ring TZn/An{f) has 2^ elements. As noticed, there is 
a strong symmetry between the two different attacks based on the annihilators 
/ * g = 0 and the multiples of low degree f * r = h. Indeed, the cardinality 
of nonzero annihilators ff{An{f) \ 0} = 2^ — 1 is the same as the number 

of distinct h when considering f * r = h. This is confirmed by noting that any 
function r in the coset a + An{f) gives f *r = f * a = h, and there are 2^ — 1 

such cosets for a yf 0. In other words, finding low degree annihilators is equivalent 
to designing a low degree function g defined on some subset of S'o(/)- Similarly, 
as any g defined on the subset of S'o(/) gives f*g = 0, the existence of low degree 
multiples of the form f *r = h may always be viewed as design of the low degree 
h on the subset of Si{f) due to the deccomposition of the form r = g + h. We 
attempt to deduce some properties of the cosets of An{f) regarding its minimum 
degree. 
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Proposition 2 Let f S TZn be a nonajfine balanced function. Then An{f) con- 
tains exactly one balanced function, namely the function 1 + / . 

In particular, there are no nonzero affine functions in An{f). 

Proof. In order that f * g = 0 the function g must satisfy g{x) = 0 whenever 
f{x) = 1. Since / is balanced So{g) > 2”“^. Then if g is to be balanced it must 
be that g = 1 + /. In particular, since any affine function is balanced and 1 + / 
is nonlinear by assumption, there are no nonzero affine functions in An{f). □ 



Corollary 1 There is exactly one nonzero annihilator of degree one for any 
affine function a G An given by (1 + a). 

Proof. Since a is affine the only balanced annihilator is of the form 1 + a which 
is an affine function. □ 



4.1 Concatenating Annihilators with Application to 
Maiorana-McFarland Class 

We know that M = {1, a;i, . . . , x„, xiX 2 , ■ • ■ , x„-iXn, • ■ • , X\X 2 • • • x„}, the set of 
2" monomials, constitutes the basis of TZn which we call the monomial basis. 
An alternative basis may be derived by considering all the products of the form 
n”=i(^i + Ti + 1) when r runs through F^. It is clear that any such product 
nr=i (a^i+Ti+I) specifies the function defined to be nonzero exactly for x = t and 
zero otherwise. Hence the set = {nr=i (xi + Ti + 1) I T G F 2 } constitutes the 
basis of TZn which will be called polynomial basis. In fact distinct basis elements 
are orthogonal to each other, that is e * e' = 0 for e yf e' G En with exception 
that for any e G E„ we have e * e = e which is in accordance to the property 
that any element in the Boolean ring TZn is idempotent. 

An important application of these ideas is a general result on the set of 
annihilators. 

Theorem 2. Let f be a balanced Boolean function in TZ„. In general, for a 
positive integer m, 1 < m < n — 1, write f as 

n—m 

f{y,x)= 0 ( n + D + l))rr(a;), 

for {y,x) G F 2 ~™ X F™, and not necessarily distinct functions rr in TZm- Then 
any annihilator of f can be written in the form, 

n—m 

g{y,x)= 0 ( n + + 

reFj””* 



where gr is any annihilator of r^ . 
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Proof. Due to the orthogonality of distinct products + 1) and 

the fact that gr is annihilator of for any t G it is easily verified that 

fg = 0. By Theorem 1 for a function € TZm there are 2^ -Spr^) distinct 
annihilators. Let G = {g \ gr & A{rr), r G and denote by ro, . . . , r 2 "-m_i 

the subfunctions of / when r runs through F^”™. Then, 

|G| = 22"‘-|^i(ro)l . . . 22”‘-|Si(r,„_„,_,)| ^ = 22”“\ 

which is in accordance with Theorem 1, that is |G| = |Gln(/)|. It is obvious that 
the functions in G are two-by-two distinct, hence all annihilators are in G. Q 

This approach is a very efficient method for annihilating the functions which 
have a subfunction of low degree on some (n — m)-dimensional flat. 

Example 1 The functions in the standard Maiorana-McFarland class may be 
viewed as a concatenation of affine functions from some smaller variable space. 
That is f{y,x) = 0 (nr=T(yi + n + i)) ar{x), where ar{x) G Am are 

affine functions in m variables for all t. Then the annihilators of degree n—m+1 
are for instance obtained by choosing gT<=(x) = 1-1- ar'=(x) in (3) for a fixed 
G F 2 ~™ and otherwise gr{x) = 0. But the degree of such an annihilator is 
n — m+1 which equals to the maximum degree of the Maiorana-McFarland class 
of functions and therefore not of practical use. Q 

The result above is more successfully applied to the degree optimized Maiorana- 
McFarland class that has been introduced in [18]. Here some affine functions 
in Am (at least one) are replaced by suitably chosen nonlinear function(s) hi 
of degree m — t — 1, t being the order of resiliency. Then the degree of / is 
optimized, i.e. deg{f) = n — t — 1. Still, multiplying this function by g{y,x) = 
+ Ti + 1))(1 -I- ar{x)) (for T G F^”™ chosen such that / is affine on 
that TO-dimensional fiat) the degree of / is decreased from n — t— Iton — m-|-l. 
As m > n/2 when t > 0 for this class, in many cases one obtains annihilators of 
degree < n/2. 

5 How to Decide the (Non-) Existence of Annihilators 

In this section we derive an efficient algorithm to decide whether a given boolean 
function / in n variables x = (a;i, ..., Xn) has low algebraic immunity, i.e., whether 
/ or f + 1 has an an annihilator of low degree. From ([9], proof of Theorem C.0.1) 
one deduces the following algorithm for determining annihilating functions for 
/, i.e., functions g such that f{x) * g{x) = 0 for all x: 

A necessary and sufficient condition for f * g = 0 is that the function g 
vanishes for all arguments x for which f{x) = 1. The algebraic normal form 
ANF of a function g in n variables of degree d is a sum of a constant and 
monomials • • • a;*™, 1 < m < d, determined by its coefficients 

...im) whose number equals to 0)- some complexity estimates, we 
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approximate this number by the summand which is dominant for d < nj2. 
In order to determine the unknown coefficients of an annihilating function 
substitute all arguments x in g{x) with f{x) = 1. For balanced / these are 2"“^ 
arguments. We thus get 2”“^ linear equations for the coefficients of g, which can 
be solved by Gaussian elimination. This method immediately allows to decide 
whether there is an annihilator g of degree at most d, and if so, to determine a set 
of linearly independent annihilators (of degree at most d) . In view of Theorem 
C.O.I in [9] we assume d < [n/2]. 

Algorithm 1 

1. Substitute all N arguments x with f{x) = 1 in the ANF of a general boolean 
function g(x) of degree d. This gives a system of N linear equations for the 
coefficients of g{x). 

2. Solve this linear system. 

3. If there is no (nontrivial) solution, output no annihilator of degree d, 
else determine sets of coefficients for linearly independent annihilators. 

For n not much larger than about 10, solving this system of linear equations 
is quite easy. However, in [12] it is recommended that the combining function 
/ in a stream cipher should have more than 10 (e.g. 32) arguments, to prevent 
algebraic attacks. 

For such numbers of inputs. Algorithm 1 becomes infeasible, as the number 
of equations is on the order of 2"“^, and the complexity of Gaussian elimination 
already for n = 20 inputs is about 2®^. In [11] there are given two alternative 
algorithms for determining low degree annihilators and low degree multiples of 
functions, both of which are based on Grobner bases. The examples of functions 
given in [11] have at most n = 10 variables. No complexity estimates are given in 
[11] for determining the necessary Grobner bases for general n, however it seems 
that these methods become infeasible as well for larger numbers of variables. 

Here we propose an accelerated method for deciding whether a Boolean func- 
tion has an annihilator of low degree d. As in Algorithm 1, let the (candidate) 
annihilators g of degree c? of / be described as ANF with unknown coefficients. 

We assume that / behaves roughly like a random function, i.e., the coefficients 
in the ANF of / are roughly chosen at random. If this is not the case, e.g., if 
the nonzero coefficients are sparse, the algorithm may be adapted to be even 
more efficient. (However, for cipher design, we do not advocate sparse functions.) 
Suppose / is (close to) balanced. Then the number of arguments x with weight 
w < d and f{x) = 1 is about half the number of coefficients of g{x). 

The idea is to exploit some specific structure of the system of equations 
occurring in Algorithm 1. To see this, start with arguments x with Hamming 
weight w = 1. Suppose the only value 1 in a; is at position i. Then substituting 
this x in g{x) = 0 gives -I- oq = 0. Thus Oi = cq. There are about n/2 
arguments x of weight 1 with f{x) = 1. Assume d > 2. Gonsider all arguments 
x of weight 2 with f{x) = 1, and with value 1 in positions i and j. Then one 
gets Gij + ai + aj + qq = 0. Hence Uy for these indices can be expressed by 
coefficients of monomials of degrees 0 and 1. In general, for any argument x of 
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weight w, 1 < w < d, the resulting linear equation in the coefficients of g{x) 
has a similar structure: There is exactly one coefficient of a monomial of degree 
w, (we term this a coefficient of weight w) which can immediately be expressed 
by coefficients of lower weight. By iterating this process for increasing weight 
w, until w = d, we can eliminate roughly half of the coefficients in g(x) almost 
for free. We describe a basic version of an algorithm which for low degree d will 
later be considerably improved. 

Algorithm 2 

1. Let weight w = 1. 

2. For all x of weight w with f{x) = 1 substitute x in g{x) = 0 to derive a 
linear equation in the coefficients of g, with a single coefficient of weight 
w. Use this equation to express this coefficient iteratively by coefficients of 
lower weight. 

3. If w < d, increment w by 1 and go to step 2. 

4. Choose random arguments x of arbitrary weight such that f{x) = 1 and 
substitute in g(x) = 0, until there are the same number of equations as 
unknowns. 

5. Solve the linear system. If there is no solution, output no annihilator of 
degree d. 

Algorithm 2 is aimed at showing that / has no annihilator of given degree d. 
However, if the system turns out to be solvable, one may try another set of 
arguments x in step 5. If the new system is again solvable, one checks whether 
the solutions found are consistent. In case the number of variables n of / is 
not too large, one may directly verify whether one has found an annihilator, by 
formally expanding f{x)*g{x) and by checking whether the result is identically 0. 

We estimate the computational and data complexity of Algorithm 2. The 
expressions of those coefficients that in step 2 have been replaced by linear 
combinations of coefficients of lower weight, need to be memorized for step 4. As 
the number of coefficients involved in these expressions is of order ^ , and we 

have a number of memorized coefficients in step 2, the number of memory 
bits is of order M = |((^) • (^”^). In the evaluation of g{x) in step 4, one has to 
substitute the linear expressions found in step 2. The complexity of substituting 
X depends on its weight, and is at most of order M elementary operations. This 
needs to be done for about values of x, as we have about this number 

of remaining unknowns. Hence we get a computational complexity in step 4 of 
order * M= The computational complexity of step 5, and 

hence of Algorithm 2, is of order | if the exponent for Gaussian elimination 
w = 3. Thus Algorithm 2 does run roughly 8 times faster than Algorithm 1, 
when modified for low degree d (i.e., by taking a number of linear equations 
equal to the number of unknown coefficients in ^(a:)). To summarize, Algorithm 
2 has the complexities as shown: 



Memory 


4\dJ \d-lJ 


Complexity 


1 (nyi 

8 \d) 
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Note that the memory requirement is not stringent when compared to Algorithm 
1, where a linear system of equations with about (^) coefficients needs to be 
memorized. 

In order to improve efficiency over Algorithm 2, we use arguments x of higher 
weight than d: Consider all arguments x with weight d+1 such that f{x) = 1. For 
each such x, a linear equation arises where = d + 1 coefficients of weight d 

(and coefficients of lower weight) are involved. In some fraction of arguments x, 
exactly d coefficients of weight d were already expressed by coefficients of lower 
weight. Thus the remaining coefficient can be expressed as well by coefficients of 
lower weight. This procedure can be iterated for w = d+2, and so on, with higher 
number of coefficients of weight d involved, but with higher probability that a 
coefficient has already been replaced in an earlier step. The gain of efficiency for 
increasing weight is dependent on n and d. The necessary estimates are given in 
a Lemma. 

Lemma 2. Let f be a random Boolean function with n variables, and let d be 
the degree of an annihilator g of f. Then the following statements hold: 

a) A fraction 

i + (n-d)-2-(‘^+2) (4) 

of weight d coefficients can be replaced by lower weight coefficients by substi- 
tuting all weight w arguments x with f{x) = 1, and with w < d-\- 1. 

b) Suppose that according to a) a fraction p of coefficients of weight d have 
been replaced. Then an additional number A of coefficients can be replaced 
by substituting arguments of weight w = d 2, where 




Proof, a): By following steps 1 to 3 of Algorithm 2, about coefficients 
of weight d have already been replaced by lower weight coefficients. There are 
about arguments x of weight w = d-\- 1 with f{x) = 1. Substitute these 

in g{x). Then in the average, for * (d+ 1) of arguments, we have 

that amongst the d + 1 weight d coefficients involved, exactly d coefficients have 
previously been expressed by coefficients of lower weight. Thus the remaining 
coefficient can be expressed by coefficients of lower weight. The average fraction 
of coefficients of weight d replaced by now is got by dividing by (()) and is as 
claimed. 

b) is similar, and is omitted. Q 

The improved algorithm is illustrated for degrees d = 4 and d = 5. 

Case d = 4: Let the number of variables of / be n > 20. Search for potential 
annihilators of degree d = 4. First assume n = 20. Formula (4) shows that by 
using all arguments of weight up to w < 5, a fraction p = 0.75 of the 
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coefficients of weight 4 can be replaced. Thus with n = 20, there remain 1211 
coefficients to be replaced. According to Formula (5), an average number A of 
new coefficients of weight d can be replaced by using arguments of weight d + 2. 
With n = 20, d = 4, and p = 0.75, one gets 1294. Thus with high probability 
(almost) all coefficients of weight d = 4 can be replaced. Using formulas (4) and 
(5) one can show that this probability quickly increases for increasing n. Hence 
the number of remaining unknowns (and equations) is of order Thus 

we are able to reduce deciding the existence of annihilators of degree at most 4 
from (0) , when using Algorithm 1, to , when using our refinement of 

Algorithm 2. 

If n = 32, i.e., one of our target values, this complexity is about |( 3^) ~ 2^"^, 

compared to about (^4)^ ~ 2^®, when Algorithm 1 (modified to d = 4) would be 
directly applied. 

Recall that the final system of linear equations to be solved, is found by sub- 
stituting linear relations for coefficients of g{x), for various arguments x. This 
should be done in a way such that it doesn’t exceed the cost for solving this sys- 
tem. To get a linear system of largest possible rank, one should take arguments 
with arbitrary weight, so that all monomials in / contribute to the evaluation 
of /. A majority of arguments x have weight about n/2. Hence only about ("^^) 
monomials in g(x) are nonzero. Thus in this case the complexity of substituting 
linear expressions in g(x) to get a linear equation in unknowns has complexity 
about (^”^) • (”^^)- Doing this for (^”4) equations, for values n and d under 

consideration, the average complexity is not larger than (^"4)^. When taking 
arguments with weight close to n, one better computes the linear equation got 
from the weight n argument x, and then modifies this equation by setting some 
components in a; to 0. 

Case d = 5: Let n > 32. Assume n = 32, (the case n > 32 works even better). 
Then according to formula (4), p = 0.7109375. The number of coefficients of 
weight d = 5 after using all arguments of weight up to d -I- 1 = 6 is 58210. After 
using weight d -I- 2 = 7 arguments, we can replace another 22229 coefficients of 
weight 5. Hence there remain 35981, which is of the same order as (^4^) = 35960. 
As half of coefficients of weight at most 4 have already been replaced by basic 
step 4 of Algorithm 2, and as the case n > 32 is more favorable, we conclude 
that the remaining number of unknowns is of order (") . Hence the complexity of 

deciding existence of an annihilator of degree at most 5 is of order (4)^, e.g., for 
n = 32, it is of order 2"^® (compared to 2®^, when modified Algorithm 1 would 
be directly applied). 

The cases d < 4 work similar as the cases d = 4 and d = 5 just given. However, 
for d = 6, and n < 50, formula (4) shows that the probability p is already close 
to 0.5, so that in this case by using arguments with weight larger than 6 only 
weak refinements over the basic Algorithm 2 may be expected. 
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6 Bounds on the Probability of Annihilators’ Existence 



In the last section we have proposed an algorithm for deciding whether a given 
function / admits annihilators of degree < d. However the complexity of the 
algorithm is strongly related with the inputs n, d and it turns out that this 
task becomes infeasible for n > 32 and d > 6. Hence using more inputs to 
the function might be an obvious solution to protect from algebraic attacks. It 
cannot be precluded however that finding annihilators for larger n and d may 
still be feasible by using methods related to Grobner basis, although this seems 
open. In such a setting it is important to derive bounds on the probability that 
a function admits annihilators. 

An easy upper bound for the probability that an n- variable balanced function 
admits an annihilator of degree at most d, is deduced from the minimum weight 
of any nonzero function of degree less or equal to d. As / is assumed to be 
balanced, this extends to a statement on the algebraic immunity of /: 



Proposition 3 The probability that a random n-variable balanced function f 
has algebraic immunity at most d is upper bounded by the number: 



Pb{AI{f) <d}< 



2(2i+-+-+(S) _ 

(^r-o 



( 6 ) 



Proof. The size of the set A of nonzero functions of degrees at most d equals 
2 i+riH h(^) _ 2 ^^ Pqj. gygj-y such function g, the number of balanced functions / 
such that the support of g is included in S'o(/) equals Ng = , where 

wt{g) denotes the Hamming weight of g. Since every such function g has weight 
at least 2”“^^, we have Thus, the number of balanced 

functions admitting an annihilator of degree at most d is smaller than or equal 
to '^g^j^Ng < (2^"*'"'' — l)( 2 n-r^ 2 ’*-‘i)’ iiideed, the size of a union of sets 

is smaller than or equal to the sum of the sizes of the sets. Since ( 2 ^- 1 ) is the 
number of balanced functions, this completes the proof. Q 



Even though this bound is not tight, it helps us to determine the asymptotic 
behavior of the probability of annihilator’s existence. 

Theorem 3. Let d„ be a sequence of positive integers such that dn < tin where 
pL=\{l + ^A- ^(1 + lii 2)2 _ 1 ) ^ 0.22. Then 

P6{A/(/) < d„} ^ 0, n ^ 00 . (7) 

Proof. We know that, for every positive integer N and every 0 < A < 1/2: 

< 2N^-2N(l/2-\f 



E 

0<2<AiV 




488 



Willi Meier, Enes Pasalic, and Claude Carlet 



(e.g., see C. Carlet [5]). We deduce that for every n and every < n/2: 

/2 2 — 

and denoting the number [_ 2 -dn by A„ we have: 

^ ^ 22"-2”“‘^" g-2(2”-2"“‘^")(l/2-A„)^ 




Thus 




< 



2 «e- 2 "('-/ 2 -‘*"/"d+ 2 "- 2 "“‘'" - 2 ( 2 "- 2 "“‘*")(l/ 2 -A„)^ 
Z e , 



and therefore 



logs 






1) 



2^n <2J^—dn 

2 n — 1 Qn—dr 



< 



2 ng- 2 n(i/ 2 -d„/n)= 2" - 2""'^" - 2 (log 2 e)(2" - 2"-‘'")(l/2 - A„)2. 

We have also (2^-1) ~ fc2^"“"/^, where fc is a constant, according to Stirling 
formula. Hence, if n/2 is negligible with respect to 

2n-d„ _ 2"g-2n(i/2-d„/n)=^ 2(log2 e)( 2 ” - 2 "-^")(l /2 - A„)^ = 



2-d„ _ g-2„(i/2-d„/„)= ^ 2(log2 e)(l - 2-‘^")(l/2 - A„)' 

then . 2'» — — tends to zero. 

A sufficient condition is that > e“2n(i/2-dn/n) ^y'2 is negli- 

gible with respect to 2” [2(log2 e)(l — 2“‘^")(l/2 — A„)^] . We have 

2-d„ > g-2„(i/2-d„/„)= ^ < 2n(log2 e)(l /2 - d^/nf, 



that is, 

dn/n < 2(log2 e)(l/2 - dnl'n)'^. 

The equation x = 2(log2 e)(l/2 — is equivalent to a; In 2/2 = (1/2 — x)^, that 
is, — a;(l -I- -I- | = 0, which roots are both positive. 

Its smallest root is /a. Thus < l^n implies 2~‘^" > e-2n(i/2-<in/n) ^ j£ 
dn < then 



(l_2-^n)(l_A„)2 



(l_2-<in 




1/2 - 2“"'" y 2“2rf» ^ 2-2 m" 

1 - 2-^» j^4(l-2-<i") - 4(1 - 2-A*")' 



Hence, since 2/i is strictly smaller than 1, then n/2 is negligible with respect to 
2" [2(log2e)(l-2-‘^")(l/2-A„)2] . 



D 
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For practical applications we are interested in concrete values of this bound for 
moderate n rather than the asymptotical values. For instance, we can compute 
the probability that a random balanced function / in n = 32 variables admits 
annihilators of degree d < 6. In view of Theorem 3, d = 6 satisfies the inequality 
d < 0.22n for n = 32. Then computing (6) for n = 32, d = 6, gives a probability 
of order which is negligibly small. Notice that in this case, due to the 

complexity reasons, we cannot confirm the (non) existence of annihilators through 
Algorithm 2. 

However the upper bound as derived above is based on the property that 
all annihilators have weights at least 2”“'^. This bound can be sharpened by 
using some known results on the weight distribution and enumeration of the 
codewords in the Reed-Muller code TZ{d, n). Let us denote by the number of 
codewords of weight w in TZ{d,n); then A 2 ^-d equals 2‘^])["Fp 
to McWilliams-Sloane [16]. Furthermore, Kasami and Tokura [14] have done the 
weight enumeration of codewords of weight w in TZ{d, n) for all 2”“^^ < w < 

These results are found in [16, pg. 446] and can be used to derive a 
tighter upper bound from the following easy improvement of Proposition 3: 

Theorem 4. For a random balanced function f G Bn the upper hound on the 
probability, denoted Pb’^ , that AI{f) < d is given by 

^^2— <i+i / 2"-w \ \ 

^ (2i:to(") _ ^ A^) ■ 

w=2^-d V2"-ij u)=2"-<i V2"-ij 



Note that, for every w, we have 



(.r-irj 



<(^r 



Remark 2 This upper hound can he further tightened by using more values of 
w for which the exact number of codewords is known. This has been done in [15] 
for the weights w in the range 2”“'^ < w < 2.5 • 2”“^^. 



For the bound of Theorem 4, it seems to be much harder to estimate the value of 
H as it has been done in Theorem 3. By computations one can deduce the same 
behavior of this bound but with slightly shifted limit value, that is fj! « 0.27. This 
gives a better value than Theorem 3 as for increasing n the sequence d„ < p-'n 
has a larger range. 

The upper bounds above are important tools for estimating the security of 
a stream cipher. For instance assuming that the computational complexity of 
breaking a cipher whose multiples are of degrees strictly greater than say d = 5, 
then Theorem 4 gives n = 18 which is the lowest value of n such that the 
probability that there exists annihilators of degree d < 5 is close to zero. Hence 
assuming that / has no particular structure that might be exploited, the value of 
n = 18 and the key length of fc = 128 should guarantee that the known attacks 



are infeasible. Assuming the existence of multiples/annihilators of degree d = 6 
this would give a computational complexity of order « (^g*) = (2^^)^, which for 

w = 3 yields 2®®. If a more secure cipher is preferred then the obvious method is 




490 



Willi Meier, Enes Pasalic, and Claude Carlet 



to increase n. In Table 1 below we list some other interesting cases. Each entry 
relates a given degree of annihilators d to the minimum value of n for which 
Pb{AI{f) < d} « 0. We apply the results above to the stream cipher LILI-128, 



n; Pb 


to 

II 


d — 6 


d = 7 


CO 

II 




18; 10-“®4 


22; 10-®426 


26; 10-23138 


31; 10-“' 



Table 1. Upper bound on the probability for the annihilators 



for which 14 linearly independent annihilators of degree d = A have been found 
in [8], 

Example 2 In [8], Courtois and Meier (see also [11]) have investigated the 
algebraic properties of LILI-128. They have found that the function f in n = 
10 variables used in LILI-128 is rather weak, since one could find 14 linearly 
independent annihilators of degree A. 

Note that the probability Pb{AI{f) < 5} is equal to 1 due to the Theorem 
6.0.1 in [8[. The upper bound is not tight for d = 4, 5 giving a probability greater 
than 1. However, applying the upper bound for the case d = 3 one deduces that 

Pb{AI{f) < 3} < 0.30 • 10-24. 



D 

Example 2 shows that the upper bound in particular for low values of n is not 
tight. However, Table 1 illustrates that this bound gives very strong estimates 
for larger n of interest. 

Acknowledgment We are indebted to Jean-Pierre Tillich for hepful discussions. 
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Abstract. At Eurocrypt ’96, Coppersmith proposed an algorithm for 
finding small roots of bivariate integer polynomial equations, based on 
lattice reduction techniques. But the approach is difficult to understand. 
In this paper, we present a much simpler algorithm for solving the same 
problem. Our simplification is analogous to the simplification brought by 
Howgrave-Graham to Coppersmith’s algorithm for finding small roots 
of univariate modular polynomial equations. As an application, we illus- 
trate the new algorithm with the problem of finding the factors oi n — pq 
if we are given the high order l/dlogj n bits of p. 



1 Introduction 

An important application of lattice reduction found by Coppersmith in 1996 
is finding small roots of low-degree polynomial equations [3,4,5]. This includes 
modular univariate polynomial equations, and bivariate integer equations. 

The problem of solving univariate polynomial equations modulo an integer 
N of unknown factorization seems to be hard, as for some polynomials it is 
equivalent to the knowledge of the factorization of N. Moreover, the problem of 
inverting RSA, i.e. extracting e-th root modulo N, is a particular case of this 
problem. However, at Eurocrypt ’96, Coppersmith showed that the problem of 
finding small roots is easy [3,5], using the LLL lattice reduction algorithm [9]: 

Theorem 1 (Coppersmith). Given a manic polynomial P{x) of degree S, 
modulo an integer N of unknown factorization, one can find in time polyno- 
mial in (log V, 2'^) all integers xq such that P{xo) = 0 mod N and jxo] < . 

The algorithm can be extended to handle multivariate modular polynomial 
equations, but the extension is heuristic only. Coppersmith’s algorithm has many 
applications in cryptography: cryptanalysis of RSA with small public exponent 
when some part of the message is known [5] , cryptanalysis of RSA with private 
exponent d smaller than [1], polynomial-time factorization oi N = p^ q for 

large r [2], and even an improved security proof for OAEP with small public 
exponent [13] (see [12] for a nice survey). 

Coppersmith’s algorithm for solving univariate modular polynomial equations 
was further simplified by Howgrave-Graham in [7]. Apart from being simpler 
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to understand and implement, a significant advantage of Howgrave-Graham’s 
approach is the heuristic extension to multivariate modular polynomial: indeed, 
depending on the shape of the polynomial, there is much flexibility in selecting 
the parameters of the algorithm, and Howgrave-Graham’s approach enables to 
easily derive the corresponding bound for the roots. This approach is actually 
used in all previously cited variants of Goppersmith’s technique [1,2]. 

Similarly, the problem of solving bivariate integer polynomial equations seems 
to be hard. Letting p(x, y) be a polynomial in two variables with integer coeffi- 
cients, 

P{x,y) = ■ x’’y^ 

i,3 

it consists in finding all integer pairs (xq, yo) such that p{xq, yo) = 0. We see that 
integer factorization is a special case as one can take p{x, y) = N — x-y. However, 
at Eurocrypt ’96, Goppersmith showed [4,5] that using LLL, the problem of 
finding small roots of bivariate polynomial equations is easy: 

Theorem 2. Let p{x,y) he an irreducible polynomial in two variables over 1a, 
of maximum degree S in each variable separately. Let X and Y be upper hounds 
on the desired integer solution (xo,yo), and let W = maxjj- \pij\X'^Yl . If XY < 
W^/(3'^), then in time polynomial in (log IT, 2'^), one can find all integer pairs 
(xo,yo) such thatp{xo,yo) = 0, [xqI < X, and [yo] < Y- 

Moreover, there can be improved bounds depending on the shape of the poly- 
nomial p{x,y). For example, for a polynomial p{x,y) of total degree (5 in a: and 
y, the bound is XY < As for the univariate modular case, the technique 

can be heuristically extended to more than two variables. An application of 
Goppersmith’s algorithm for the bivariate integer polynomial case is to factor in 
polynomial-time an RSA-modulus n = pq such that half of the least significant 
or most significants bits of p are known [5] . 

However, as noted in [6], the approach for the bivariate integer case is rather 
difficult to understand. This means that the algorithm is difficult to implement in 
practice, and that improved bounds depending on the shape of the polynomial 
are more difficult to derive. In particular, what makes the analysis harder is 
that one has to derive the determinant of lattices which are not full rank. The 
particular case of factoring n = pq when half of the least significant or most 
significants bits of p are known, was further simplified by Howgrave-Graham in 
[7], but as noted in [6], this particular simplification does not seem to extend 
to the general case of bivariate polynomial equations. As suggested in [12], a 
simplification analogue to what has been obtained by Howgrave-Graham for the 
univariate modular case would be useful. 

In this paper, we present a simple and efficient algorithm for finding small 
roots of bivariate integer polynomials. Our simplification is analogous to the 
simplification obtained by Howgrave-Graham for the univariate modular case. 
We apply lattice reduction to a full rank lattice that admits a natural triangular 
basis. It is then straightforward to derive the determinant and improved bounds 
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depending on the shape of the polynomial; the heuristic extension to more than 
two variables is also simpler. However, our algorithm is slightly less efficient 
than Coppersmith’s algorithm, because our algorithm has a polynomial-time 
complexity only if XY < fixed e > 0, whereas Coppersmith’s 

algorithm requires XY < , a slightly weaker condition. In section 7, we 

illustrate our algorithm with the problem of finding the factors of n = pq if we 
are given the high order 1 /4 log 2 n bits of p, and show that our algorithm is 
rather efficient in practice. 



2 Solving Bivariate Integer Equations: an Illustration 

In this section, we first illustrate our technique with a bivariate integer polyno- 
mial of the form 

p{x, y) = a + bx + cy + dxy, 

with a yf 0 and d yf 0. We assume that p{x,y) is irreducible and has a small 
root (xo,yo)- Our goal is to recover (xo,yo)- As in theorem 2, we let X,Y be 
some bound on xo,yo, that is we have |a;o| < A and |?/o| < Y, and let W = 
max{|a|, \b\X, \c\Y, |d|Xy}. Moreover, given a polynomial h{x, y) = j hijx^y^ , 

we define \\h{x,y)\\‘^ := j \hij\'^ and \\h{x,y)\\oo ■= max^j \hij\. Note that we 
have: 

W=\\p{xX,yY)\\^ (1) 

First, we generate an integer n such that : 

W <n <2- W (2) 

and gcd(n, a) = 1. One can take n = IF -I- ((1 — W) mod |a|). Then we define 
the polynomial: 



qoo{x,y) = a ^p{x,y) mod n 
= I + b'x + c'y + d'xy 

We also consider the polynomials qio{x,y) = nx, qoi{x,y) = ny and qn{x,y) = 
nxy. Note that for all four polynomials qij{x,y), we have that qij{xo,yo) = 0 
mod n. 

We consider the four polynomials qij{x,y) = qij{xX,yY)\ we are interested 
in finding a small linear integer combination of the polynomials qij{x, y). There- 
fore, we consider the lattice generated by all linear integer combinations of the 
coefficient vectors of the qij{x, y). A basis of the lattice is given by the following 
matrix L of row vectors: 



L = 



1 b'X c'Y d'XY 
nX 

nY 



nXY 
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We know that the LLL algorithm [9], given a lattice spanned by (ui, . . . 
finds in polynomial time a lattice vector bi such that ||6i|| < det(L)^/‘^. 

More background on lattice reduction techniques will be given in the next sec- 
tion. With to = 4 and det L = n^{XY)^ we obtain in polynomial time a non-zero 
polynomial h{x, y) such that 

\\h{xX,yY)W<2-n^/\XYf/^ (3) 

Note that we have /i(xo, yo) = 0 mod n. The following lemma, due to Howgrave- 
Graham, shows that if the coefficients of h{x, y) are sufficiently small, then the 
equality h{xQ,yo) = 0 holds not only modulo n, but also over Z. 

Lemma 1 (Howgrave-Graham). Let h{x,y) G Z[x,y] which is a sum of at 
most CO monomials. Suppose that h{xQ,yo) = 0 mod n where |a:o| < X and 
|yo| < Y and \\h{xX,yY)\\ < nj^/co. Then h{xQ,yo) = 0 holds over the integers. 

Proof. We have: 

\h{xo,yo)\ = \j2hi,xlyl\ = 

< ^/uj\\h{xX,yY)\\ < n 



Since h{xo,yo) = 0 mod n, this gives h{xo,yo) = 0. □ 



Assume now that: 




AU < n^/Vl6 


(4) 


Then inequality (3) gives: 




\\h{xX,yY)\\ < n/2 


(5) 



which implies that h{xo,yo) = 0. Moreover, from (1), (2) and (5) we get: 
\\h{xX,yY)\\ <nf2<W < \\p{xX,yY)\\^ < \\p{xX,yY)\\ 



< ^ \h,,X^Y^ 



This shows that h{x,y) cannot be a multiple of p{x,y). Namely, if h{x,y) is 
a multiple of p{x,y), then it follows from the definition of p and h that we 
must have h{x,y) = A ■ p{x,y) with A G Z*. This would give \\h{xX,yY)\\ = 
|A| • \\p{xX,yY)\\ > \\p{xX,yY)\\, a contradiction. 

Eventually, since p{x, y) is irreducible and h{x, y) is not a multiple of p{x, y), 

Q{x) = Hesulta,nty{h{x,y),p{x,y)) 

gives a non-zero integer polynomial such that Q{xq) = 0. Using any standard 
root-finding algorithm, we can recover xq, and finally yo by solving p{xo, y) = 0. 
Using inequality (4) and n > W, this shows that if : 



XY < 



II/1/2 

16 
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one can find in time polynomial in logW all integer pairs (xo,yo) such that 
p{xo,yo) = 0, |xo| < and |yo| < Y- 

This bound is weaker than the bound XY < given by theorem 2 for 

(5=1. We will see in section 4 that by adding more multiples of p{x, y) into the 
lattice, we recover the desired bound. 



3 Background on Lattices and Polynomials 

3.1 The LLL Algorithm 

Let ui,...,Ucj € Z" be linearly independent vectors with to < n. The lattice 
L spanned by < u\, . . . > consists of all integral linear combinations of 

ui, . . . ,Uuj, that is: 

UJ 

L = {y^n^ • Uj\ Tij G Z} 

Such a set of vectors Ui’s is called a lattice basis. All the bases have the same 
number of elements, called the dimension or rank of the lattice. We say that the 
lattice is full rank if oj = n. Any two bases of the same lattice L are related by 
some integral matrix of determinant ±1. Therefore, all the bases have the same 
Gramian determinant deti<ij<d < Ui,Uj >. One defines the determinant of the 
lattice as the square root of the Gramian determinant. If the lattice is full rank, 
then the determinant of L is equal to the absolute value of the determinant of 
the U! X u! matrix whose rows are the basis vectors ui, . . . ,Uuj. 

The LLL algorithm [9] computes a short vector in a lattice : 

Theorem 3 (LLL). Let L he a lattice spanned by (ui, . . . The LLL algo- 
rithm, given (ui, . . . ,Ucj), finds in polynomial time a vector bi such that: 

Ilfcill < 2(‘^-i)/^det(L)i/“ 



3.2 Bound on the Factors of Polynomials 

We use the following notation: given a polynomial h{x) = '^^hix’', we define 
||/i|P := I /lip and ||/i||oo := maxi \hi\. We use the same notations for bivariate 
polynomials, as defined in section 2. The following two lemmata will be useful 
in the next section: 

Lemma 2. Let a{x,y) and b{x,y) he two non-zero polynomials over Z of maxi- 
mum degree d separately in x and y, such that b{x, y) is a multiple of a{x, y) in 
'L[x,y]. Then: 



||6|| > . ||a|| 
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Proof. The proof is based on the following result of Mignotte [11]: let f{x) and 
g{x) be two non-zero polynomials over the integers, such that deg f < k and / 
divides g in Z[X]; then : 

llffll>2-'=-|l/lloo 

Let f{x) = a{x, x‘^~^^). Then we have deg / < (d-|-l)^ and the polynomials a{x, y) 
and f{x) have the same list of non-zero coefficients, which gives ||/||oo = ||o||oo- 
Similarly, letting g{x) = b{x,x’^^^), we have \\g\\ = ||6||. Moreover f{x) divides 
g{x) in Z[x]. Using the previous result of Mignotte, this proves lemma 2. □ 

Lemma 3. Let a{x,y) and b{x,y) be as in lemma 2. Assume that a(0,0) yf 0 
and b{x, y) is divisible by a non-zero integer r such that gcd(r, a(0, 0)) = 1. Then 
b{x, y) is divisible by r • a{x, y) and: 

||6|| > . |r| . Halloo 

Proof. Let \{x,y) be the polynomial such that a{x,y) • \{x,y) = b{x,y). We 
show that r divides \{x,y). Assume that this is not the case, and let Xtj be 
a coefficient of x'-y^ in \{x,y) not divisible by r. Take the smallest (z,j) for 
the lexicographic ordering. Then we have that bij = \j ■ a(0, 0) mod r, where 
bij is the coefficient of x'‘y^ in b{x,y). Since a(0,0) is invertible modulo r and 
bij = 0 mod r, this gives a contradiction. This shows that r • a{x, y) divides 
b{x,y). Applying the previous lemma to r • a{x,y) and b{x,y), this terminates 
the proof. □ 

4 Finding Small Roots of Bivariate Integer Polynomials 

We prove the following theorem: 

Theorem 4. Let p{x, y) be an irreducible polynomial in two variables over Z, of 
maximum degree 6 in each variable separately. Let X and Y be upper bounds on 
the desired integer solution (xo,yo), and let W = maxij \pij\X'^YT If for some 
e > 0, 

XY < ll/2/(35)-e (g) 

then in time polynomial in (log IT, 2'^), one can find all integer pairs {xq, yo) such 
that p{xQ,yo) = 0, |xo| < X, and |j/o| < 

Proof. We write: 

p{x,y)= X! 

0<z,j<5 

and let (xo,yo) be an integer root ofp{x,y). As previously we let 

W=\\p{xX,yY)\\^ 

First we assume that poo 7 ^ 0 and gcd(poo, XY) = 1. We will see in appendix A 
how to handle the general case. 
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We select an integer fc > 0 and let w = (i5 + A: + 1)^. We generate an integer 
u such that -W<u< 2W and gcd(poo>u) = 1- As in section 2, one 

can take 

u=W+{{l-W) mod|pooD- 
We let n = u • {XY)^. We have that gcd(poo, n) = \ and: 

^■2-'^ -{XYf -W <n<2-{XYf -W (7) 

As in section 2, we must find a polynomial h{x,y) such that h{xo,yo) = 0 
and h{x,y) is not a multiple of p{x,y). We let q{x,y) be the polynomial: 

q{x, y) = Pqq ■ p{x, y) mod n 

= 1 + ^ a^jx'-y^ 

(i,i)#(0,0) 

For all 0 < i, j < k, we form the polynomials: 

(ltj{x,y) = x'‘y^X'"~^Y''~^q{x,y) 

For all (i,j) G [0, <5 + k]"^ \ [0, k]"^, we also form the polynomials: 

Qij{x,y) = x'^y^n 

We consider the corresponding polynomials qij{x,y) = qij{xX,yY). Note that 
for all (z, j) G [0, S+k]'^, we have that qij{xo, yo) = 0 mod n, and the polynomial 
qij{x,y) is divisible by (XY)’^. 

Let h{x,y) be a linear integer combination of the polynomials qij{x,y); the 
polynomial h{x, y) = h{xX, yX) is also a linear combination of the qij{x, y) with 
the same integer coefficients. We have that h{xo,yo) = 0 mod n and (XY)’^ 
divides h{xX,yY). Moreover h{x,y) has maximum degree 6 + k independently 
in X and y, therefore it is the sum of at most oj monomials. As in section 2, 
we are interested in finding a polynomial h{x^ y) such that the coefficients of 
h{xX,yY) are small enough, for the following two reasons: 

1) if the coefficients of h{xX,yY) are sufficiently small, then the equality 
h{xo,yo) = 0 holds not only modulo n, but also over Z. From lemma 1, the 
condition is: 

71 

\\h{xX,yY)\\<^ (8) 

\JLO 

2) if the coefficients of h{xX, yY) are sufficiently small, then h{x, y) cannot 
be a multiple of p{x,y). Using lemma 3, the condition is: 

\\h{xX,yY)\\<2-^-{XY)'^-W (9) 

This condition is obtained by applying lemma 3 with a{x,y) = p{xX,yY), 
b{x,y) = h{xX,yY) and r = (XY)^. Then we have a(0,0) = poo yf 0 and 
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gcd(a(0, 0), (Xy)^) = 1. Under condition (9), h{xX,yY) cannot be a multiple 
of p{xX, yY) and therefore h{x, y) cannot be a multiple of p{x, y). 

Using inequality (7), we obtain that the first condition (8) is satisfied when- 
ever the second condition (9) is satisfied. 

We form the lattice L spanned by the coefficients of the polynomials qij{x, y). 
The polynomials qij{x,y) have a maximum degree of (5 -I- fc separately in x and 
y; therefore, there are (i5-|- fc-l- 1)^ such coefficients. Moreover, there is a total of 
((5-|-fc-|-l)^ polynomials. This gives a full rank lattice of dimension co = (<5-|-A:-|-l)^. 
In figure 1, we illustrate the lattice for i5 = 1 and k = 1. 





1 X y 


xy 


2 2 2 2 2 2 
X X y y xy x y 


XYq 


XY aioXW aoiXY'^ 






Yxq 


XY 


aoiXy2 


oioX^y aiiX^y^ 


Xyq 


XY 


awX^Y 


aoiXY^ aiiX^y^ 


xyq 




XY 


aioX^Y aoiXY^ anX^Y^ 








X'^n 


x^yn 






X^Yn 


y'^n 






Y^n 


xy'^n 






XY^n 


x^y'^n 






X^Y^n 



Fig. 1. The lattice L for i5 = 1 and k = 1 



It is easy to see that the coefficient vectors of the polynomials qij{x,y) form 
a triangular basis of L. The determinant is then the product of the diagonal 
entries. For 0 < i,j < k, the contribution of the polynomials qij{x,y) to the 
determinant is given by: 

0<i,j<k 



The contribution of the other polynomials qij{x,y) is then: 

n X^y^n = {XY) -hi^^s(s+2k+2) 

Therefore, the determinant of L is given by: 

det(L) = (^ 0 ) 

Using LLL (see theorem 3), we obtain in time polynomial in (log IT, uj) a non-zero 
polynomial h{x, y) such that: 



\\h{xX,yY)\\ < • det(L)i/‘^ 



( 11 ) 
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Note that any vector in the lattice L has integer coefficients divisible by {XY)^] 
this means that in practice, it is more efficient to apply LLL to the lattice 
{XY)-’‘L. 

From inequality (11) we obtain that the conditions (8) and (9) are satisfied 
when: 

2(“-i)/ 4 . det(L)4/‘^ < 2-“ • (XY)’^ ■ W (12) 

In this case, we have that h{xo,yo) = 0 and h{x,y) is not a multiple of p{x,y). 
Since p{x, y) is irreducible, 

Q{x) = Hesulta,nty{h{x,y),p{x,y)) 



gives a non-zero integer polynomial such that Q{xo) = 0. Using any standard 
root-finding algorithm, we can recover xq, and finally yo by solving p{xo, y) = 0. 
Using inequality (7), we obtain that inequality (12) is satisfied when: 





XY < 2"^TF“ 


(13) 


where 


2{k + l)^ 

“ “ (<5 + k){S + A: + 1)2 - k{k + 1)2 


(14) 




10 {6 + k + l)^ + {S + k+l)^ 

^“4 (,5 + fc)(<5 + fc + l)2-fc(fc + l)2 


(15) 


We have that for all <5 > 1 and k > 0 : 






2 2 
O' ^ 

“ 3i5 3 • (fc + 1) 


(16) 


and: 


4fc2 

P<- + lS-6 
0 


(17) 


Then, taking k = 


[1/eJ, we obtain from (13), (16) and (17) the 


following condi- 


tion for XY : 


XY < • 2“4/(>5'e^)-13<5 


(18) 



For an XY satisfying (18), we obtain a bivariate integer polynomial root- 
finding algorithm running in time polynomial in (log IF, (5, 1/e). 

For an XY satisfying the slightly weaker condition (6), we exhaustively search 
the high order A/ {5 ■ e^) -I- 13i5 bits of xq, so that condition (18) applies, and 
for each possible value we use the algorithm described previously. For a fixed 
e > 0, the running time is polynomial in (log IF, 2“^). This terminates the proof 
of theorem 4. □ 

As in [5], the efficiency of our algorithm depends on the shape of the poly- 
nomial p{x, y). The previous theorem applies when p(x, y) has maximum degree 
6 separately in x and y. If we assume that p{x, y) has a total degree <5 in a; and 
y, we obtain the following theorem, analogous to theorem 3 in [5] (the proof is 
given in appendix B). 
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Theorem 5. Under the hypothesis of theorem 4, except that p{x,y) has total 
degree S, the appropriate hound is: 

XY < 



5 Comparison with Coppersmith’s Algorithm 

We note that under the following condition, stronger than (6) : 

XY < 

Coppersmith’s algorithm is polynomial-time in (log IT, i5, 1/ e) (see [5] , theorem 
2), whereas our algorithm is polynomial-time in (logIT, <5) but exponential-time 
in 1/e. Coppersmith’s algorithm is therefore more efficient than ours for small 
values of e. This implies that under the following condition, weaker than (6) : 

XY < IT2/(3-5) 

Coppersmith’s algorithm is still polynomial in (log IT, 2'*) (see [5], corollary 2), 
which is no longer the case for our algorithm. 



6 Extension to More Variables 

Our algorithm can be extended to solve integer polynomial equations with more 
than two variables. As for Coppersmith’s algorithm, the extension is heuristic 
only. 

Let p{x,y,z) be a polynomial in three variables over the integers, of degree 
6 independently in x,y and z. Let (xo,yo,zo) be an integer root of p{x,y,z), 
with |a;o| < X, |j/o| < Y and \zq\ < Z. Let i be an integer > 0. As for the 
bivariate case, we generate an integer n such that n = 0 mod {XYZY, and 
a polynomial q{x,y,z) such that q{xo,yo,zo) = 0 mod n and (7(0,0,0) = 1 
mod n. Then we consider the lattice L generated by all linear integer combina- 
tions of the polynomials x'^y^ z^X^~"^Y^~^ Z^~^q{xX,yY,zZ) for 0 < i,j,k < i 
and the polynomials {xXy{yYy {zZ)'^ ■ n for (f, j, k) G [0, i5 -I- \ [0,f]^. If the 

ranges X, Y, Z are small enough, then by using LLL we are guaranteed to find a 
polynomial hi{x, y, z) such that hi(xo, yo, zq) = 0 over Z and hi{x, y, z) is not a 
multiple of p{x, y, z). Unfortunately, this is not enough. For small enough ranges 
X,Y,Z, we can also obtain a second polynomial h 2 {x,y,z) satisfying the same 
property. This can be done by bounding the norm of the second vector produced 
by LLL, as in [1,8]. Then we could take the resultant between the three polyno- 
mials p{x,y,z), h\{x,y,z) and h 2 {x,y,z) in order to obtain a polynomial f{x) 
such that f{xo) = 0. But we have no guarantee that the polynomials hi{x,y,z) 
and h 2 {x,y,z) will be algebraically independent, for example we might have 
h 2 {x,y,z) = X • hi{x,y,z). This makes the method heuristic only. 
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7 Practical Experiments 

An application of solving bivariate equations described in [5] is factoring an 
RSA modulus n = pq when the high-order bits of p are known. Using our algo- 
rithm from theorem 4, we obtain the following theorem, whose proof is given in 
appendix C. 

Theorem 6. For any £ > 0, given n = pq and the high-order (1/4 -|- £) log 2 n 
hits of p, we can recover the factorization of n in time polynomial in logn. 

By comparison, Coppersmith’s algorithm provides a slightly better result 
since only the high-order l/41og2n bits of p are required (see theorem 4, [5]). 
The result of practical experiments are summarized in table 2, using Shoup’s 
NTL library [14]. It shows that our bivariate polynomial root-finding algorithm 
works well in practice. 



N 


bits of p given 


lattice dimension 


running time 


512 bits 


144 bits 


25 


35 sec 


512 bits 


141 bits 


36 


3 min 


1024 bits 


282 bits 


36 


20 min 



Fig. 2. Running times for factoring N = pq given the high-order bits of p, using 
our bivariate integer polynomial root finding algorithm on a 733 Mhz PC running 
under Linux. 



We have also implemented the factorization of n = pq with high-order bits 
known using the simplification of Howgrave-Graham [7]. Results are given in 
table 3. It shows that the simplification of Howgrave-Graham is much more effi- 
cient in practice. Namely, the factorization of a 1024-bit RSA modulus knowing 
the high-order 282 bits of p takes roughly 20 minutes using our bivariate poly- 
nomial root finding algorithm, and only one second using Howgrave-Graham’s 
simplification. This is due to the fact that the Howgrave-Graham simplification 
enables to obtain a lattice with a lower dimension (but it applies only to the par- 
ticular case of factoring with high-bits known, not to the general case of finding 
small roots of bivariate integer polynomials) . 



N 


bits of p given 


lattice dimension 


running time 


1024 bits 


282 bits 


11 


1 sec 


1024 bits 


266 bits 


25 


1 min 


1536 bits 


396 bits 


33 


19 min 



Fig. 3. Running times for factoring N = pq given the high-order bits of p, using 
Howgrave-Graham’s algorithm on a 733 Mhz PC running under Linux. 
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8 Conclusion 

We have presented an algorithm for finding small roots of bivariate integer poly- 
nomials, simpler than Coppersmith’s algorithm. The bivariate integer case is 
now as simple to analyze and implement as the univariate modular case. Our 
algorithm is asymptotically less efficient than Coppersmith’s algorithm, but ex- 
periments show that it works well in practice; however, for the particular case of 
integer factorization with high-bits known, the Howgrave-Graham simplification 
appears to be more efficient. 
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A Finding Small Roots in the General Case 

The algorithm described in section 4 assumes that p(0, 0) ^ 0 and also that 
gcd(p(0, 0), XY) = 1. Here we show how to handle the general case. 

If p(0, 0) = 0, we use a simple change of variable to derive a polynomial 
p*{x,y) such that p*(0,0) yf 0. This is done as follows: we write p as p{x,y) = 
X ■ ao(x) + y • c(x, y), where ag is a polynomial of maximum degree (5—1. Since 
p{x,y) is irreducible, we must have oq yf 0. Since degoo < <5 — 1, there exists 
0 < 5 < (5 such that ao{i) yf 0. Then p{i, 0) yf 0 and letting p*{x, y) = p{x + i, y), 
we obtain that p*(0, 0) yf 0 and use p*{x, y) instead of p{x, y). 

If gcd(p(0, 0), XY) yf 1, we generate two random primes X' and Y' such that 
X < X' < 2X and Y < Y' < 2Y, and X' and T' do not divide p(0,0). This 
can be done in polynomial-time using the recursive prime generation algorithm 
described in [10]. We then use X', Y' instead of X, Y. 



B Proof of Theorem 5 



We use the same n and the same q{x,y) as in section 4. We use the same 
polynomials qij{x,y) = x'^y^ X^~'‘Y^~^ q{x,y), but only for 0 < i+j < k (instead 
of 0 < j < k). We also use the polynomials qij{x,y) = x^'y^n for k < i + j < 
k + S. 

We obtain a full-rank lattice L of dimension ut = {k + S + l){k -I- (5 -I- 2)/2, 
where the coefficient vectors of the polynomials qij{x, y) form a triangular basis. 
The contribution of the polynomials qij{x, y) for 0 < i+j < k to the determinant 
is given by: 

J[ (XY)’^ = (XY) 2 

and the contribution of the remaining polynomial is: 

X^Y^n = • j^(^(3+(i+2fe)/2 



which gives: 



3k(l + k)(2+k) + d(2 + d‘^ +6k + 3k‘^ + 3d(l + k)) 

det L = (XY) s 



^d{3+d+2k)/2 



As before, the condition is: 

2(‘^-i)/4det(T)i/“ < • (AF)'= • W 



from which we derive the following condition on XY: 
XY < . 2-4/(‘5£^)-13<5 



for e = 0{l/k). As previously, we exhaustive search on the high-order A/{5e^) + 
13(5 bits of xo, to obtain the bound: 

XY < 

while remaining polynomial-time in (log IT, 2'^). 
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C Factoring with High-Bits Known: Proof of Theorem 6 

Let N = pq he an RSA-modulus and assume that we know that high-order 
(1/4-1- e) log 2 -/V bits of p, for £ > 0. By division we also know the high-order 
(1/4 -I- e) log 2 N bits of q. We write: 

p = po + xo q = qo + yo 

|:ro| < poN-^/^-^ = X \yo\ < qoN~^/^-^ = Y 
where po and qo are known and xg and yo are unknown. We define the polynomial: 

P(x, y) = {po + x) ■ {qo + y) - N = {poqg - N) + qgx + poy + xy 
We have that p{xo, yo) = 0 and: 

W = max(|pogo - n\, qoX,poY, XY) > qgX > ifv3/4-£ 

We have: 

XY = poqoN-'^/'^-^^ < iVi/2-2e 

which gives: 

so that by guessing one additional bit of xg we are under the conditions of 
theorem 4. 
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Abstract. We study the problem of searching on data that is encrypted 
using a public key system. Consider user Bob who sends email to user 
Alice encrypted under Alice’s public key. An email gateway wants to test 
whether the email contains the keyword “urgent” so that it could route 
the email accordingly. Alice, on the other hand does not wish to give the 
gateway the ability to decrypt all her messages. We define and construct 
a mechanism that enables Alice to provide a key to the gateway that 
enables the gateway to test whether the word “urgent” is a keyword in 
the email without learning anything else about the email. We refer to this 
mechanism as Public Key Encryption with keyword Search. As another 
example, consider a mail server that stores various messages publicly 
encrypted for Alice by others. Using our mechanism Alice can send the 
mail server a key that will enable the server to identify all messages 
containing some specific keyword, but learn nothing else. We define the 
concept of public key encryption with keyword search and give several 
constructions. 



1 Introduction 

Suppose user Alice wishes to read her email on a number of devices: laptop, 
desktop, pager, etc. Alice’s mail gateway is supposed to route email to the ap- 
propriate device based on the keywords in the email. For example, when Bob 
sends email with the keyword “urgent” the mail is routed to Alice’s pager. When 
Bob sends email with the keyword “lunch” the mail is routed to Alice’s desktop 
for reading later. One expects each email to contain a small number of keywords. 
For example, all words on the subject line as well as the sender’s email address 

* Supported by NSF and the Packard foundation. 
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Stanford and while at Telcordia. 

* * * Part of this work done while visiting DIMACS. Work supported by NoE ECRYPT. 
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could be used as keywords. The mobile people project [24] provides this email 
processing capability. 

Now, suppose Bob sends encrypted email to Alice using Alice’s public key. 
Both the contents of the email and the keywords are encrypted. In this case the 
mail gateway cannot see the keywords and hence cannot make routing decisions. 
As a result, the mobile people project is unable to process secure email without 
violating user privacy. Our goal is to enable Alice to give the gateway the ability 
to test whether “urgent” is a keyword in the email, but the gateway should learn 
nothing else about the email. More generally, Alice should be able to specify a 
few keywords that the mail gateway can search for, but learn nothing else about 
incoming mail. We give precise definitions in section 2. 

To do so. Bob encrypts his email using a standard public key system. He then 
appends to the resulting ciphertext a Puhlic-Key Encryption with keyword Search 
(PEKS) of each keyword. To send a message M with keywords Wi , . . . , Wm Bob 
sends 

Ea^^,{M) II PEKS(A,„,,Wi) II ••• II PEKS(A,„„W^) 

Where Ap„b is Alice’s public key. The point of this form of encryption is that 
Alice can give the gateway a certain trapdoor that enables the gateway to 
test whether one of the keywords associated with the message is equal to the 
word W of Alice’s choice. Given PEKS(Ap„6, IT') and the gateway can test 
whether IT = IT'. If IT yf IT' the gateway learns nothing more about IT'. Note 
that Alice and Bob do not communicate in this entire process. Bob generates 
the searchable encryption for IT' just given Alice’s public key. 

In some cases, it is instructive to view the email gateway as an IMAP or 
POP email server. The server stores many emails and each email contains a 
small number of keywords. As before, all these emails are created by various 
people sending mail to Alice encrypted using her public key. We want to enable 
Alice to ask queries of the form: do any of the messages on the server contain 
the keyword “urgent”? Alice would do this by giving the server a trapdoor T^, 
thus enabling the server to retrieve emails containing the keyword IT. The server 
learns nothing else about the emails. 

Related work. A related issue deals with privacy of database data. There are 
two different scenarios: public databases and private databases, and the solutions 
for each are different. 

Private databases: In this settings a user wishes to upload its private data to a 
remote database and wishes to keep the data private from the remote database 
administrator. Later, the user must be able to retrieve from the remote database 
all records that contain a particular keyword. Solutions to this problem were pre- 
sented in the early 1990’s by Ostrovsky [26] and Ostrovsky and Goldreich [17] 
and more recently by Song at al. [28]. The solution of Song, at al [28] requires 
very little communication between the user and the database (proportional to 
the security parameter) and only one round of interaction. The database per- 
forms work that is linear in its size per query. The solution of [26,17] requires 
poly-logarithmic rounds (in the size of the database) between the user and the 
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database, but allows the database to do only poly-logarithmic work per query. 
An additional privacy requirement that might be appealing in some scenarios is 
to hide from the database administrator any information regarding the access 
pattern, i.e. if some item was retrieved more then once, some item was not re- 
trieved at all, etc. The work of [26,17] achieves this property as well, with the 
same poly-logarithmic cost® per query both for the database-user interaction 
and the actual database work. We stress that both the constructions of [26,17] 
and the more recent work of [10,28,16] apply only to the private-key setting for 
users who own their data and wish to upload it to a third-party database that 
they do not trust. 

Public Databases Here the database data is public (such as stock quotes) but 
the user is unaware of it and wishes to retrieve some data-item or search for 
some data-item, without revealing to the database administrator which item it 
is. The naive solution is that the user can download the entire database. Public 
Information Retrieval (PIR) protocols allow user to retrieve data from a pub- 
lic database with far smaller communication then just downloading the entire 
database. PIR was first shown to be possible only in the setting where there 
are many copies of the same database and none of the copies can talk to each 
other [5] . PIR was shown to be possible for a single database by Kushilevitz and 
Ostrovsky [22] (using homomorphic encryption scheme of [19]). The communica- 
tion complexity of [22] solution (i.e. the number of bits transmitted between the 
user and the database) is 0(n*^), where n is the size of the database and e > 0. 
This was reduced to poly-logarithmic overhead by Cachin, Micali, and Stadler 
[4] . As pointed out in [22] , the model of PIR can be extended to one-out-of-n 
Oblivious Transfer and keyword searching on public data, and received a lot of 
additional attention in the literature (see, for example, [22,8,20,9,23,25,27]. We 
stress though that in all these settings the database is public, and the user is 
trying to retrieve or find certain items without revealing to the database admin- 
istrator what it is searching for. In the setting of a single public database, it can 
be shown that the database must always perform work which is at least linear 
in the size of the database. 

Our problem does not fit either of the two models mentioned above. Unlike 
the private-key setting, data collected by the mail-server is from third parties, 
and can not be “organized” by the user in any convenient way. Unlike the publicly 
available database, the data is not public, and hence the PIR solutions do not 
apply. 

We point out that in practical applications, due to the computation cost 
of public key encryption, our constructions are applicable to searching on a 
small number of keywords rather than an entire file. Recently, Waters et al. [30] 
showed that public key encryption with keyword search can be used to build an 
encrypted and searchable audit log. Other methods for searching on encrypted 
data are described in [16,12]. 

® The poly- logarithmic construction of [26,17] requires large constants, which makes it 
impractical; however their basic 0{^/n) solution was recently shown to be applicable 
for some practical applications [10]. 
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2 Public Key Encryption with Searching: Definitions 

Throughout the paper we use the term negligible function to refer to a function 
/ : M ^ [0, 1] where /(s) < l/g{s) for any polynomial g and sufficiently large s. 

We start by precisely defining what is a secure Public Key Encryption with 
keyword Search (PEKS) scheme. Here “public-key” refers to the fact that cipher- 
texts are created by various people using Alice’s public key. Suppose user Bob 
is about to send an encrypted email to Alice with keywords Wi, . . . , Wk (e.g., 
words in the subject line and the sender’s address could be used as keywords, so 
that k is relatively small). Bob sends the following message: 

[EA^^dmsg], PEKS(A,„„Wi),...,PEKS(A,„„Wfe)] (1) 

where is Alice’s public key, msg is the email body, and PEKS is an algorithm 
with properties discussed below. The PEKS values do not reveal any information 
about the message, but enable searching for specific keywords. For the rest of the 
paper, we use as our sample application a mail server that stores all incoming 
email. 

Our goal is to enable Alice to send a short secret key to the mail server 
that will enable the server to locate all messages containing the keyword W, but 
learn nothing else. Alice produces this trapdoor Tyy using her private key. The 
server simply sends the relevant emails back to Alice. We call such a system 
non-interactive public key encryption with keyword search, or as a shorthand 
“searchable public-key encryption” . 

Definition 1. A non-interactive public key encryption with keyword search (we 
sometimes abbreviate it as “searchable encryption” ) scheme consists of the fol- 
lowing polynomial time randomized algorithms: 

1. KeyGen(s): Takes a security parameter, s, and generates a public/private key 
pair Apui,, 

2. PEKS(Ap„6, W): for a public key Ap„b and a word W, produces a searchable 
encryption of W. 

3. Trapdoor(Appip, W)\ given Alice’s private key and a word W produces a trap- 
door r^. 

4. Test(Ap„b, S', Tiv): given Alice’s public key, a searchable encryption S = 
PEKS(Apui,, W'), and a trapdoor = Trapdoor(Appi„, W), outputs ‘yes’ 
if W = W and ‘no’ otherwise. 

Alice runs the KeyGen algorithm to generate her public/private key pair. She 
uses Trapdoor to generate trapdoors Tvi, for any keywords W that she wants 
the mail server or mail gateway to search for. The mail server uses the given 
trapdoors as input to the Test() algorithm to determine whether a given email 
contains one of the keywords W specified by Alice. 

Next, we define security for a PEKS in the sense of semantic-security. We 
need to ensure that an PEKS(Ap„6,W) does not reveal any information about 
W unless Tfv is available. We define security against an active attacker who is 
able to obtain trapdoors Tvr for any W of his choice. Even under such attack 
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the attacker should not be able to distinguish an encryption of a keyword Wq 
from an encryption of a keyword Wi for which he did not obtain the trapdoor. 
Formally, we define security against an active attacker A using the following 
game between a challenger and the attacker (the security parameter s is given 
to both players as input). 

PEKS Security game: 

1. The challenger runs the KeyGen(s) algorithm to generate and Ap^ip. 
It gives Apph to the attacker. 

2. The attacker can adaptively ask the challenger for the trapdoor for 
any keyword W G {0,1}* of his choice. 

3. At some point, the attacker A sends the challenger two words Wo, Wi on 
which it wishes to be challenged. The only restriction is that the attacker 
did not previously ask for the trapdoors Twq or Twi- The challenger 
picks a random b G {0, 1} and gives the attacker C = PEKS(Ap„b, Wh). 
We refer to C as the challenge PEKS. 

4. The attacker can continue to ask for trapdoors Tvr for any keyword W 
of his choice as long as IT yf ITo, ITi. 

5. Eventually, the attacker A outputs h' G (0, 1} and wins the game if 
b = b' . 

In other words, the attacker wins the game if he can correctly guess whether 
he was given the PEKS for ITq or ITi. We define A’s advantage in breaking 
the PEKS as 

Adv^(s) = |Pr[6 = 6'] - 

Definition 2. We say that a PEKS is semantically secure against an adap- 
tive chosen keyword attack if for any polynomial time attacker A we have that 
Adv^(s) is a negligible function. 

Chosen Ciphertext Security. We note that Definition 2 ensures that the construc- 
tion given in Eq. (1) is semantically secure whenever the public key encryption 
system Eap^i, is semantically secure. However, as is, the construction is not cho- 
sen ciphertext secure. Indeed, a chosen ciphertext attacker can break semantic 
security by reordering the keywords in Eq. (1) and submitting the resulting ci- 
phertext for decryption. A standard technique can make this construction chosen 
ciphertext secure using the methods of [7]. We defer this to the full version of 
the paper. 

2.1 PEKS Implies Identity Based Encryption 

Public key encryption with keyword search is related to Identity Based Encryp- 
tion (IBE) [29,2]. Constructing a secure PEKS appears to be a harder problem 
than constructing an IBE. Indeed, the following lemma shows that PEKS implies 
Identity Based Encryption. The converse is probably false. Security notions for 
IBE, and in particular chosen ciphertext secure IBE (IND-ID-CCA), are defined 
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Lemma 1. A non-interactive searchable encryption scheme fPEKSJ that is se- 
mantically secure against an adaptive chosen keyword attack gives rise to a cho- 
sen ciphertext secure IBE system (IND-ID-CCA). 

Proof sketch: Given a PEKS (KeyGen, PEKS, Trapdoor, Test) the IBE system is 
as follows: 

1. Setup: Run the PEKS KeyGen algorithm to generate The IBE 

system parameters are A^^^. The master-key is Aj,^i^. 

2. KeyGen: The IBE private key associated with a public key X € {0, 1}* is 

dx = [Trapdoor(Ap,,i„, X||0), Trapdoor(Ap,,i„, X||I)] , 
where || denotes concatenation. 

3. Encrypt: Encrypt a bit 6 G {0, 1} using a public key X G {0, 1}* as: 

CT = PEKS(A,^„ XHb). 

4. Decrypt: To decrypt CT = PEKS(Ap„b, X||6) using the private key dx = 
(do,di) output ‘0’ if Test(^p„b, CT, c?o) = ‘yes’ and 

output ‘1’ if Test(ylp„b, CT, c?i) = ‘yes’ 

One can show that the resulting system is IND-ID-CCA assuming the PEKS is 
semantically secure against an adaptive chosen message attack. □ 

This shows that building non-interactive public-key searchable encryption is 
at least as hard as building an IBE system. One might be tempted to prove the 
converse (i.e., IBE implies PEKS) by defining 

PEKS(Ap„,,IE) = T,,[0'=] (2) 

i.e. encrypt a string of k zeros with the IBE public key W G {0, 1}*. The Test 
algorithm attempts to decrypt [0] and checks that the resulting plaintext is 
0^. Unfortunately, this does not necessarily give a secure searchable encryption 
scheme. The problem is that the ciphertext CT could expose the public key {W) 
used to create CT. Generally, an encryption scheme need not hide the public key 
that was used to create a given ciphertext. But this property is essential for the 
PEKS construction given in (2). We note that public key privacy was previously 
studied by Bellare et al. [1]. 

Generally, it appears that constructing a searchable public-key encryption is 
a harder problem than constructing an IBE scheme. Nevertheless, our first PEKS 
construction is based on a recent construction for an IBE system. We are able 
to prove security by exploiting extra properties of this system. 

3 Constructions 

We give two constructions for public- key searchable encryption: (1) an efficient 
system based on a variant of the Decision Diffie-Hellman assumption (assuming a 
random oracle) and (2) a limited system based on general trapdoor permutations 
(without assuming the random oracle), but less efficient. 
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3.1 Construction Using Bilinear Maps 

Our first construction is based on a variant of the Computational Diffie-Hellman 
problem. Boneh and Franklin [2] recently used bilinear maps on elliptic curves to 
build an efficient IBE system. Abstractly, they use two groups G\ , of prime 
order p and a bilinear map e : Gi x Gi ^ G 2 between them. The map satisfies 
the following properties: 

1. Computable: given g,h G Gi there is a polynomial time algorithms to com- 
pute e{g, h) e G 2 . 

2. Bilinear: for any integers x,y G [l,p] we have e{g^,gy) = e{g,g)^y 

3. Non-degenerate: if g is a generator of Gi then e{g,g) is a generator of G 2 . 

The size of Gi, G 2 is determined by the security parameter. 

We build a non-interactive searchable encryption scheme from such a bilinear 
map. The construction is based on [2] . We will need hash functions ili : {0, 1}* — > 
Gi and H 2 '■ G 2 ^ {0, Our PEKS works as follows: 

— Key Gen: The input security parameter determines the size, p, of the groups 
Gi and G 2 . The algorithm picks a random a G Z* and a generator g of Gi. 
It outputs Ap„b = [g,h = g°‘] and = a. 

— PEKS(Apub, W): First compute t = e{Hi{W), h'') G G 2 for a random r G Z*. 
Output PEKS(Ap„b, VF) = [g'^, H 2 {t)]. 

— Trapdoor(Appi„, IF): output G G\. 

— Test(Ap„,,S',TH.): let S' = [A,B]. Test ii H 2 {e{T^ , A)) = B. 

If so, output ‘yes’; if not, output ‘no’. 

We prove that this system is a non-interactive searchable encryption scheme 
semantically secure against a chosen keyword attack in the random oracle model. 
The proof of security relies on the difficulty of the Bilinear Diffie-Hellman prob- 
lem (BDH) [2,21]. 

Bilinear Dijfie- Heilman Problem (BDH): Fix a generator g of Gi. The BDH 
problem is as follows: given g,g°',g^,g'^ G Gi as input, compute e{g,gY^^ G 
G 2 . We say that BDH is intractable if all polynomial time algorithms have a 
negligible advantage in solving BDH. 

We note that the Boneh-Franklin IBE system [2] relies on the same in- 
tractability assumption for security. The security of our PEKS is proved in the 
following theorem. The proof is set in the random oracle model. Indeed, it is 
currently an open problem to build a secure IBE, and hence a PEKS, without 
the random oracle model. 

Theorem 1. The non-interactive searchable encryption scheme fPEKSj above 
is semantically secure against a chosen keyword attack in the random oracle 
model assuming BDH is intractable. 

Proof : Suppose A is an attack algorithm that has advantage e in breaking 
the PEKS. Suppose A makes at most hash function queries to H 2 and at 
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most trapdoor queries (we assume Qt and are positive). We construct 
an algorithm B that solves the BDH problem with probability at least e' = 
e/ {eqTqH 2 )j where e is the base of the natural logarithm. Algorithm B's running 
time is approximately the same as A’s. Hence, if the BDH assumption holds 
in Gi then e' is a negligible function and consequently e must be a negligible 
function in the security parameter. 

Let g he & generator of Gi. Algorithm B is given g,ui = 5 “, M 2 = g^,U 3 = 
g~^ G Gi- Its goal is to output v = e{g,g)°'^'^ G G 2 . Algorithm B simulates the 
challenger and interacts with forger A as follows: 

KeyGen. Algorithm B starts by giving A the public key = [g,ui]. 

Hi, i?2- queries. At any time algorithm A can query the random oracles Hi 
or H 2 - To respond to Hi queries algorithm B maintains a list of tuples 
{Wj,hj,aj, Cj) called the Hi-list. The list is initially empty. When A queries 
the random oracle Hi at a point Wi G {0, 1}*, algorithm B responds as 
follows: 

1. If the query Wi already appears on the Hi-list in a tuple (Wi, hi, ai, Ci) 
then algorithm B responds with Hi{Wi) = hi G Gi. 

2. Otherwise, B generates a random coin a G {0, 1} so that Pr[ci = 0] = 
1 / {Qt + !)• 

3. Algorithm B picks a random ai € Zp. 

If Ci = 0, B computes hi ^ U 2 ■ 5 “* G Gi. 
li Ci = 1, B computes hi ^ G Gi. 

4. Algorithm B adds the tuple (Wi,hi,ai,Ci) to the Hi-list and responds 
to A by setting Hi{Wi) = hi. Note that either way hi is uniform in Gi 
and is independent of A’s current view as required. 

Similarly, at any time A can issue a query to H 2 . Algorithm B responds to 
a query for H 2 {t) by picking a new random value V G {0,1}*°®^ for each 
new t and setting H 2 {t) = V. In addition, B keeps track of all H 2 queries by 
adding the pair {t, V) to an H 2 -list. The H 2 -list is initially empty. 
Trapdoor queries. When A issues a query for the trapdoor corresponding to 

the word Wi algorithm B responds as follows: 

1 . Algorithm B runs the above algorithm for responding to Hi-queries to 

obtain an hi G Gi such that Hi{Wi) = hi. Let {Wi,hi,ai,Ci) be the 
corresponding tuple on the Hi -list. If Ci = 0 then B reports failure and 
terminates. 

2. Otherwise, we know Ci = 1 and hence hi = G Gi. Define Tj = Ui*. 
Observe that Tj = H{Wi)°‘ and therefore Ti is the correct trapdoor for 
the keyword Wi under the public key Ap„b = [g,ui]. Algorithm B gives 
Ti to algorithm A. 

Challenge. Eventually algorithm A produces a pair of keywords Wq and Wi 
that it wishes to be challenged on. Algorithm B generates the challenge PEKS 
as follows; 

1. Algorithm B runs the above algorithm for responding to Hi -queries twice 
to obtain a ho, hi G Gi such that Hi(lTo) = ho and Hi{Wi) = hi. For 
i = 0, 1 let (Wi,hi,ai,Ci) be the corresponding tuples on the Hi-list. If 
both Co = 1 and ci = I then B reports failure and terminates. 
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2. We know that at least one of cq, ci is equal to 0. Algorithm B randomly 
picks a b G {0,1} such that Ch = 0 (if only one C{, is equal to 0 then no 
randomness is needed since there is only one choice). 

3. Algorithm B responds with the challenge PEKS C = [ms, J] for a random 
J G {0,1}'°SP. 

Note that this challenge implicitly defines H 2 {e{Hi{Wb),uJ)) = J. In other 
words, 

With this definition, C is a valid PEKS for Wb as required. 

More trapdoor queries. A can continue to issue trapdoor queries for key- 
words Wi where the only restriction is that Wi yf Wo , Wi . Algorithm B 
responds to these queries as before. 

Output. Eventually, A outputs its guess b' G (0, 1} indicating whether the 
challenge C is the result of PEKS(Ap„b, Wq) or PEKS(Ap„b, Wi). At this 
point, algorithm B picks a random pair (t, V) from the i? 2 -list and outputs 
t/e{u\,uoY'‘ as its guess for e{g,gY^^, where ab is the value used in the 
Challenge step. The reason this works is that, as we will show, A must have 
issued a query for either H 2 {e{Hi{Wo),uJ)) or H 2 {e{Hi{Wi),uJ)). There- 
fore, with probability 1/2 the i/ 2 -hst contains a pair whose left hand side 
is t = e{Hi{Wb),uJ) = If B picks this pair (t, E) from the 

i? 2 -list then t/e{ui,uoY'’ = e{g,gY^^ as required. 

This completes the description of algorithm B. It remains to show that B cor- 
rectly outputs e{g,g)°‘^'^ with probability at least e'. To do so, we first analyze 
the probability that B does not abort during the simulation. We define two 
events: 

£i: B does not abort as a result of any of A’s trapdoor queries. 

£ 2 - B does not abort during the challenge phase. 

We first argue as in [6] that both events £\ and £2 occur with sufficiently high 
probability. 

Claim 1: The probability that algorithm B does not abort as a result of A’s 
trapdoor queries is at least 1/e. Hence, Pr[£i] > 1/e. 

Proof. Without loss of generality we assume that A does not ask for the trapdoor 
of the same keyword twice. The probability that a trapdoor query causes B to 
abort is 1 /((?t + !)• To see this, let Wi be A’s t’th trapdoor query and let 
(Wi,hiWiiCi) be the corresponding tuple on the i?i-list. Prior to issuing the 
query, the bit Ci is independent of A’s view — the only value that could be given 
to A that depends on a is H{Wi), but the distribution on H{Wi) is the same 
whether Ci = 0 or Ci = 1. Therefore, the probability that this query causes B 
to abort is at most 1/(<7 t + !)• Since A makes at most Qt trapdoor queries the 
probability that B does not abort as a result of all trapdoor queries is at least 
(1 - l/(( 7 ^ + 1))«^ > 1/e. □ 

Claim 2: The probability that algorithm B does not abort during the challenge 
phase is at least I/qt- Hence, Pr[£ 2 ] > 1/<Zt- 
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Proof. Algorithm B will abort during the challenge phase if A is able to produce 
Wo,Wi with the following property: cq = ci = 1 where for z = 0, 1 the tuple 
(yVi, hi,ai,Ci) is the tuple on the i?i-list corresponding to Wi. Since A has not 
queried for the trapdoor for Wq,Wi we have that both co,ci are independent 
of A’s current view. Therefore, since Pr[cj = 0] = 1/((7 t + 1) for z = 0, 1, and 
the two values are independent of one another, we have that Pr[co = ci = 1] = 
(1 — 1/((7 t + 1))^ < 1 — l/^T- Hence, the probability that B does not abort is at 
least I/qt- □ 

Observe that since A can never issue a trapdoor query for the challenge 
keywords Wq, Wi the two events Si and S 2 are independent. Therefore, Pr[£i A 

S2] > l/(egT). 

To complete the proof of Theorem 1 it remains to show that B outputs the 
solution to the given BDH instance with probability at least elqn 2 - To do we 
show that during the simulation A issues a query for H2{e{Hi{Wb),uf)) with 
probability at least e. 

Claim 3 : Suppose that in a real attack game A is given the public key [g, u\] 
and A asks to be challenged on words Wq and Wi. In response, A is given a 
challenge C = [5'’, J]. Then, in the real attack game A issues an H2 query for 
either H2{e{Hi{Wn),u\)) or H2{e{Hi{Wi),u\)) with probability at least 2e. 

Proof. Let £3 be the event that in the real attack A does not issue a query for 
either one of Pl2{e{Hi{Wo),ul)) and H2{e{P[i{Wi),ul)). Then, when S3 occurs 
we know that the bit b G {0, 1} indicating whether C is a PEKS of Wq or Wi 
is independent of A’s view. Therefore, A’s output b' will satisfy b = b' with 
probability at most 5. By definition of A, we know that in the real attack 
|Pr[6 = b'] — 1/2| > e. We show that these two facts imply that Pr[^£3] > 2e. 
To do so, we first derive simple upper and lower bounds on Pr[6 = b']: 

Pr[b = b'] = Pr[6 = b'lSs] Pr[£3] + Pr[6 = Prh^s] 

<Pr[6 = 6'|£:3] Pr[£3] + Prh^a] 

= ipr[f3]+Prh£3] 

Pr[5 = b'] > Pr[6 = b'lSs] Pr[£3] = ^ Prl^s] = ^ ^ Prh£3]. 

It follows that e < | Pr[6 = b'] — 1/2| < iPr[^£3]. Therefore, in the real attack, 
Pr[^£3] > 2e as required. □ 

Now, assuming B does not abort, we know that B simulates a real attack game 
perfectly up to the moment when A issues a query for either H2{e{Hi{Wo), uj)) 
or P[ 2 {e{P[i{Wi),uJ)). Therefore, by Claim 3, by the end of the simulation A 
will have issued a query for either P[2{e{Hi{Wo), uJ)) or iL2(e(iLi(IPi), zz^)) with 
probability at least 2e. It follows that A issues a query for H2(e(Hi(Wb),uJ)) 
with probability at least e. Consequently, the value e(iLi(IT{,), zz^) = 
will appear on the left hand side of some pair in the Jl2-list. Algorithm B will 
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choose the correct pair with probability at least and therefore, assum- 

ing B does not abort during the simulation, it will produce the correct answer 
with probability at least e/g^a- Since B does not abort with probability at least 
l/(e(7T) we see that B's success probability overall is at least el{eqTqH^) as re- 
quired. □ 

3.2 A Limited Construction Using Any Trapdoor Permutation 

Our second PEKS construction is based on general trapdoor permutations, as- 
suming that the total number of keywords that the user wishes to search for is 
bounded by some polynomial function in the security parameter. (As a first step 
in our construction, we will make an even stronger assumption that the total 
number of words S C {0, 1}* in the dictionary is also bounded by a polynomial 
function, we will later show how to remove this additional assumption.) We will 
also need a family of semantically-secure encryptions where given a ciphertext 
it is computationally hard to say which public-key this ciphertext is associated 
with. This notion was formalized by Bellare et al. [1]. We say that a public-key 
system that has this property is source-indistinguishable. More precisely, 
source-indistinguishability for an encryption scheme (G, if, D) is defined using 
the following game between a challenger and an attacker A (here G is the key 
generation algorithm, and E/D are encryption/decryption algorithms). The se- 
curity parameter s is given to both players. 

Source Indistinguishability security game: 

1. The challenger runs algorithm G(s) two times to generate two pub- 
lic/private key pairs {PKq, Privo) and {PKi,Priv\). 

2. The challenger picks a random M e {0, 1}* and a random 6 G {0, 1} and 
computes an encryption C = PKt{M). The challenger gives {M,C) to 
the attacker. 

3. The attacker outputs b' and wins the game if 5 = 6'. 

In other words, the attacker wins if he correctly guesses whether he was given 
the encryption of M under PKq or under PKi. We define A’s advantage in 
winning the game as: 

AdvSI^(s) = |Pr[6 = 6']-i| 

Definition 3. We say that a public-key encryption scheme is source indistin- 
guishable if for any polynomial time attacker A we have that AdvSI^(s) is a 
negligible function. 

We note that Bellare et al. [1] define a stronger notion of source indistin- 
guishability than the one above by allowing the adversary to choose the challenge 
message M . For our purposes, giving the adversary an encryption of a random 
message is sufficient. 

It is easy to check that source indistinguishability can be attained from any 
trapdoor permutation family, where for a given security parameter all permu- 
tations in the family are defined over the same domain. Such a family can be 
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constructed from any family of trapdoor permutations as described in [1] . Then 
to encrypt a bit b we pick a random x, and output [f{x), GL{x)(Bb] where GL is 
the Goldreich-Levin hard-core bit [19]. We therefore obtain the following lemma: 

Lemma 2. Given any trapdoor permutation family we can construct a seman- 
tically secure source indistinguishable encryption scheme. 

We note that source indistinguishability is an orthogonal property to se- 
mantic security. One can build a semantically secure system that is not source 
indistinguishable (by embedding the public key in every ciphertext). Gonversely, 
one can build a source indistinguishable system that is not semantically secure 
(by embedding the plaintext in every ciphertext). 

A simple PEKS from trapdoor permutations. When the keyword family S is of 
polynomial size (in the security parameter) it is easy to construct searchable 
encryption from any source-indistinguishable public-key system (G,E,D). We 
let s be the security parameter for the scheme. 

— KeyGen: For each W € E run G(s) to generate a new public/private key 
pair PK^ / Privyv for the source-indistinguishable encryption scheme. The 
PEKS public key is 

Apub = {PKw I W e S}. The private key is = {Privw \ W G S}. 

— PEKS(Glp„i,, VF): Pick a random M G {0,1}® and output PEKS(^p„i,, IF) = 
(M, E[PKpv,M]), i.e. encrypt M using the public key PKyy. 

— Trapdoor(Appi„, IF): The trapdoor for word W is simply Tvi, = Privw 

— Test(7lp„b, S', Tiy): Test if the decryption D\Ty^,S] = 0®. Output ‘yes’ if so 
and ‘no’ otherwise. 

Note that the dictionary must be of polynomial size (in s) so that the public 
and private keys are of polynomial size (in s) . 

This construction gives a semantically secure PEKS as stated in the following 
simple theorem. Semantically secure PEKS is defined as in Definition 2 except 
that the adversary is not allowed to make chosen keyword queries. 

Theorem 2. The PEKS scheme above is semantically secure assuming the un- 
derlying public key encryption scheme (G, E, D) is source-indistinguishable. 

Proof sketch: Let E = {Wi , . . . , Wk] be the keyword dictionary. Suppose we 
have a PEKS attacker A for which Adv_q(s) > e(s). We build an attacker B that 
breaks the source indistinguishability of (G,E,D) where AdvSIe(s) > e(s)/fc^. 

The reduction is immediate: B is given two public keys PKq,PKi and a 
pair (M,G) where M is random in {0,1}® and C = PKh{M) for b G {0,1}. 
Algorithm B generates k — 2 additional public/private keys using G(s). It creates 
Ap„b as a list of all k public keys with PKq, PKi embedded in a random location 
in the list. Let IFi, IF^ be the words associated with the public keys PKq, PKi. 
B sends Ap„b to A who then responds with two words Wk^ PF^ G A on which A 
wishes to be challenged. If {i,j} ^ {^j^} algorithm B reports failure and aborts. 
Otherwise, B sends the challenge (M, G) to A who then responds with a 6' G 
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{0, 1}. Algorithm B outputs b' as its response to the source indistinguishability 
challenge. We have that b = b' if algorithm B did not abort and A’s response was 
correct. This happens with probability at least ^ + e/fc^. Hence, AdvSIg(s) > 
e(s) as required. □ 

We note that this PEKS can be viewed as derived from an IBE system with a 
limited number of identities. For each identity there is a pre-specified public key. 
Such an IBE system is implied in the work of Dodis et al. [13]. They propose 
reducing the size of the public-key using cover-free set systems. We apply the 
same idea below to reduce the size of the public key in the PEKS above. 

Reducing the public key size. The drawback of the above scheme is that the 
public key length grows linearly with the total dictionary size. If we have an 
upper-bound on the total number of keyword trapdoors that the user will release 
to the email gateway (though we do not need to know these keywords a-priori) 
we can do much better using cover-free families [15] and can allow keyword 
dictionary to be of exponential size. Since typically a user will only allow a third 
party (such as e-mail server) to search for a limited number of keywords so that 
assuming an upper bound on the number of released trapdoors is within reason. 
We begin by recalling the definition of cover-free families. 

Definition 4. Cover-free families. Let d, t, k be positive integers, let G be a 
ground set of size d, and let F = {51, . . . , Sk} be a family of subsets ofG. We say 
that subset Sj does not cover Si if it holds that Si ^ Sj. We say that family F 
is t-cover free over G if each subset in F is not covered by the union of t subsets 
in F. Moreover, we say that a family of subsets is g-uniform if all subsets in the 
family have size q. 

We will use the following fact from [14]. 

Lemma 3. [14] There exists a deterministic algorithm that, for any fixed t, k, 
constructs a g-uniform t-cover free family F over a ground set of size d, for 
q= [d/4t] and d < 16t^(l -I- log(fc/2)/log3). 

The PEKS. Given the previous PEKS construction as a starting point, we can 
significantly reduce the size of public file Ap„b by allowing user to re-use individ- 
ual public keys for different keywords. We associate to each keyword a subset of 
public keys chosen from a cover free family. Let k be the size of the dictionary 
E = {Wi, . . . , Wk\ and let t be an upper bound on the number of keyword 
trapdoors released to the mail gateway by user Alice. Let d, q satisfy the bounds 
of Lemma 3. The PEKS(d, t, fc, g) construction is as follows: 

— KeyGen: For i = 1, . . . , d run algorithm G(s) to generate a new public/private 
key pair PKi/ Privi for the source-indistinguishable encryption scheme. The 
PEKS public key is Ap„b = {PKi, . . . , PKd}. The private key is App,„ = 
{Privi , . . . , Privd}. We will be using a g-uniform t-cover free family of sub- 
sets F = {Si, . . . , Sk} of {PKi, . . . , PKd}. Hence, each Si is a subset of 
public keys. 




Public Key Encryption with Keyword Search 519 



— PEKS(Ap„i,, Wi)-. Let Si& F he the subset associated with the word Wi G S. 

Let Si = {PK^^\ . . . , Pick random messages Mi, . . . , Mq G {0, 1}® 

and let M = Mi 0 • • • 0 Mq . Output the tuple: 

PEKS(Glp„„lK,)= (m, S[PiG(i),Mi], E[PK^^\Mq]^ 

— Trapdoor(ylppi„, Wi): Let Si & F he the subset associated with word Wi G E. 
The trapdoor for word Wi is simply the set of private keys that correspond 
to the public keys in the set Si. 

— Test(Glp„i,i?,Tvi,): 

Let Tiy = {Priv^^\ . . . ,Priv^'^^} and let R = (M, Ci, . . . , Cq) be a PEKS. 
For i = decrypt each Ci using private key Priv^^^ to obtain Mi. 

Output ‘yes’ if M = Mi 0 • • • 0 Mq, and output ‘no’ otherwise. 

The size of the public key file Ap„i, is much smaller now: logarithmic in the 
size of the dictionary. The downside is that Alice can only release t keywords 
to the email gateway. Once t trapdoors are released privacy is no longer guar- 
anteed. Also, notice that the size of the PEKS is larger now (logarithmic in the 
dictionary size and linear in t) . The following corollary of Theorem 2 shows that 
the resulting PEKS is secure. 

Corollary 1. Let d,t,k,q satisfy the hounds of Lemma 3. The PEKS(<i, t, fc, g) 
scheme above is semantically secure under a chosen keyword attack assuming the 
underlying public key encryption scheme (G, E, D) is source-indistinguishable 
and semantically secure, and that the adversary makes no more than t trapdoors 
queries. 

Proof sketch: Let S = {Wi , . . . , Wk] be the keyword dictionary. Suppose we 
have a PEKS attacker A for which Adv_ 4 (s) > e(s). We build an attacker B that 
breaks the source indistinguishability of (G, E,D). 

Algorithm B is given two public keys PKq,PKi and a pair (M,C) where 
M is random in {0, 1}® and G = PKb{M) for b G {0, 1}. Its goal is to output 
a guess for b which it does by interacting with A. Algorithm B generates d — 2 
additional public/private keys using G(s). It creates Ap„6 as a list of all d public 
keys with PKq, PKi embedded in a random location in the list. Let Wi, Wj be 
the words associated with the public keys PKq, PKi. 

B sends Ap„6 to A. Algorithm A issues up to t trapdoor queries. B responds 
to a trapdoor query for IT G A as follows: let S' G F be the subset corresponding 
to the word W. If PKq G S or PKi G S algorithm B reports failure and aborts. 
Otherwise, B gives A the set of private keys {Privi \i G S}. 

At some point. Algorithm A outputs two words Wq,W[ G A on which it 
wishes to be challenged. Let S(,, S( G F be the subsets corresponding to ITg, W[ 
respectively. Let £ be the event that PKq G Sq and PKi G S[. If event £ did 
not happen then B reports failure and aborts. 

We now know that PKq G Sq and PKi G S{. For j = 0,1 let S' = 

{PK^^\ . . . , PKj'^^}. We arrange things so that PKq = FFg'’^ and PKi = 
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for some random 1 < c < g. Next, B picks random 
Mc+i, ■ ■ ■ , Mq G {0, 1}® and sets Me = M. Let M' = Mi 0 • • • 0 Mq. Algo- 
rithm B defines the following hybrid tuple: 

R= [m\ E[Pk‘^^\Mi], C, 

E[PK[^+^\Me+i], E[PK[^\Mq^ 

It gives R as the challenge PEKS to algorithm A. Algorithm A eventually 
responds with some b' G {0, 1} indicating whether R is PEKS(Ap„b, Wq) or 
PEKS(Apu6, W(). Algorithm B outputs b' as its guess for b. One can show using a 
standard hybrid argument that if B does not abort then | Pr[6 = 6'] — i| > ejq'^. 
The probability that B does not abort at a result of a trapdoor query is at least 
1 — (tq/d). The probability that B does not abort as a result of the choice of 
words Wq,W[ is at least {q/d)‘^. Hence, B does not abort with probability at 
least l/poly{t, q, d). Repeatedly running B until it does not abort shows that we 
can get advantage e/q^ in breaking the source indistinguishability of (G,E,D) 
in expected polynomial time in the running time of A. □ 

4 Construction Using Jacobi Symbols 

Given the relation between Identity Based Encryption and PEKS it is tempting 
to construct a PEKS from an IBE system due to Cocks [3]. The security of Cocks’ 
IBE system is based on the difficulty of distinguishing quadratic residues from 
non-residues modulo N = pq where p = q = 3(mod4). 

Unfortunately, Galbraith [11] shows that the Cocks system as described in [3] 
is not public-key private in the sense of Bellare et al. [1]. Therefore it appears 
that the Cocks system cannot be directly used to construct a PEKS. It provides 
a good example that constructing a PEKS is a harder problem than constructing 
an IBE. 

5 Conclusions 

We defined the concept of a public key encryption with keyword search (PEKS) 
and gave two constructions. Constructing a PEKS is related to Identity Based En- 
cryption (IBE), though PEKS seems to be harder to construct. We showed that 
PEKS implies Identity Based Encryption, but the converse is currently an open 
problem. Our constructions for PEKS are based on recent IBE constructions. We 
are able to prove security by exploiting extra properties of these schemes. 
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Abstract. We provide formal definitions and efficient secure techniques 
for 

— turning biometric information into keys usable for any cryptographic 
application, and 

— reliably and securely authenticating biometric data. 

Our techniques apply not just to biometric information, but to any key- 
ing material that, unlike traditional cryptographic keys, is (1) not re- 
producible precisely and (2) not distributed uniformly. We propose two 
primitives: a fuzzy extractor extracts nearly uniform randomness R from 
its biometric input; the extraction is error-tolerant in the sense that R 
will be the same even if the input changes, as long as it remains reason- 
ably close to the original. Thus, R can be used as a key in any crypto- 
graphic application. A secure sketch produces public information about 
its biometric input w that does not reveal w, and yet allows exact re- 
covery of w given another value that is close to w. Thus, it can be used 
to reliably reproduce error-prone biometric inputs without incurring the 
security risk inherent in storing them. 

In addition to formally introducing our new primitives, we provide nearly 
optimal constructions of both primitives for various measures of “close- 
ness” of input data, such as Hamming distance, edit distance, and set 
difference. 



1 Introduction 

Cryptography traditionally relies on uniformly distributed random strings for its 
secrets. Reality, however, makes it difficult to create, store, and reliably retrieve 
such strings. Strings that are neither uniformly random nor reliably reproducible 
seem to be more plentiful. For example, a random person’s fingerprint or iris scan 
is clearly not a uniform random string, nor does it get reproduced precisely each 
time it is measured. Similarly, a long pass-phrase (or answers to 15 questions 
[12] or a list of favorite movies [16]) is not uniformly random and is difficult 
to remember for a human user. This work is about using such nonuniform and 
unreliable secrets in cryptographic applications. Our approach is rigorous and 
general, and our results have both theoretical and practical value. 



C. Cachin and J. Camenisch (Eds.): EUROCRYPT 2004, LNCS 3027, pp. 523—540, 2004. 
(c) International Association for Cryptologic Research 2004 
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To illustrate the use of random strings on a simple example, let us consider the 
task of password authentication. A user Alice has a password w and wants to gain 
access to her account. A trusted server stores some information y = f{w) about 
the password. When Alice enters w, the server lets Alice in only if f{w) = y. In 
this simple application, we assume that it is safe for Alice to enter the password 
for the verification. However, the server’s long-term storage is not assumed to 
be secure (e.g., y is stored in a publicly readable /etc/passwd file in UNIX). 
The goal, then, is to design an efficient / that is hard to invert (i.e., given y it 
is hard to find w' s.t. f{w') = y), so that no one can figure out Alice’s password 
from y. Recall that such functions / are called one-way functions. 

Unfortunately, the solution above has several problems when used with pass- 
words w available in real life. First, the definition of a one-way function assumes 
that w is truly uniform, and guarantees nothing if this is not the case. How- 
ever, human-generated and biometric passwords are far from uniform, although 
they do have some unpredictability in them. Second, Alice has to reproduce her 
password exactly each time she authenticates herself. This restriction severely 
limits the kinds of passwords that can be used. Indeed, a human can precisely 
memorize and reliably type in only relatively short passwords, which do not 
provide an adequate level of security. Greater levels of security are achieved by 
longer human-generated and biometric passwords, such as pass-phrases, answers 
to questionnaires, handwritten signatures, fingerprints, retina scans, voice com- 
mands, and other values selected by humans or provided by nature, possibly in 
combination (see [11] for a survey). However, two biometric readings are rarely 
identical, even though they are likely to be close; similarly, humans are unlikely 
to precisely remember their answers to multiple question from time to time, 
though such answers will likely be similar. In other words, the ability to tolerate 
a (limited) number of errors in the password while retaining security is crucial 
if we are to obtain greater security than provided by typical user-chosen short 
passwords. 

The password authentication described above is just one example of a cryp- 
tographic application where the issues of nonuniformity and error tolerance nat- 
urally come up. Other examples include any cryptographic application, such as 
encryption, signatures, or identification, where the secret key comes in the form 
of “biometric” data. 

Our Definitions. We propose two primitives, termed secure sketch and fuzzy 
extractor. 

A secure sketch addresses the problem of error tolerance. It is a (probabilistic) 
function outputting a public value v about its biometric input w, that, while 
revealing little about w, allows its exact reconstruction from any other input w' 
that is sufficiently close. The price for this error tolerance is that the application 
will have to work with a lower level of entropy of the input, since publishing 
V effectively reduces the entropy of w. However, in a good secure sketch, this 
reduction will be small, and w will still have enough entropy to be useful, even if 
the adversary knows v. A secure sketch, however, does not address nonuniformity 
of inputs. 
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A fuzzy extractor addresses both error tolerance and nonuniformity. It re- 
liably extracts a uniformly random string R from its biometric input w in an 
error-tolerant way. If the input changes but remains close, the extracted R re- 
mains the same. To assist in recovering R from w' , a fuzzy extractor outputs a 
public string P (much like a secure sketch outputs v to assist in recovering w). 
However, R remains uniformly random even given P. 

Our approach is general: our primitives can be naturally combined with any 
cryptographic system. Indeed, R extracted from w by a fuzzy extractor can be 
used as a key in any cryptographic application, but, unlike traditional keys, need 
not be stored (because it can be recovered from any w' that is close to w). We 
define our primitives to be information-theoretically secure, thus allowing them 
to be used in combination with any cryptographic system without additional 
assumptions (however, the cryptographic application itself will typically have 
computational, rather than information-theoretic, security). 

For a concrete example of how to use fuzzy extractors, in the password au- 
thentication case, the server can store (P, f{R))- When the user inputs w' close 
to w, the server recovers the actual R and checks if f{R) matches what it stores. 
Similarly, R can be used for symmetric encryption, for generating a public-secret 
key pair, or any other application. Secure sketches and extractors can thus be 
viewed as providing fuzzy key storage: they allow recovery of the secret key {w 
or R) from a faulty reading w' of the password w, by using some public infor- 
mation (v or P). In particular, fuzzy extractors can be viewed as error- and 
nonuniformity-tolerant secret key key- encapsulation mechanisms [27]. 

Because different biometric information has different error patterns, we do 
not assume any particular notion of closeness between w' and w. Rather, in 
defining our primitives, we simply assume that w comes from some metric space, 
and that w' is no more that a certain distance from w in that space. We only 
consider particular metrics when building concrete constructions. 

General Results. Before proceeding to construct our primitives for concrete 
metrics, we make some observations about our definitions. We demonstrate that 
fuzzy extractors can be built out of secure sketches by utilizing (the usual) 
strong randomness extractors [24], such as, for example, pairwise-independent 
hash functions. We also demonstrate that the existence of secure sketches and 
fuzzy extractors over a particular metric space implies the existence of certain 
error-correcting codes in that space, thus producing lower bounds on the best 
parameters a secure fingerprint and fuzzy extractor can achieve. Finally, we 
define a notion of a biometric embedding of one metric space into another, and 
show that the existence of a fuzzy extractor in the target space implies, combined 
with a biometric embedding of the source into the target, the existence of a fuzzy 
extractor in the source space. 

These general results help us in building and analyzing our constructions. 

Our Constructions. We provide constructions of secure sketches and extrac- 
tors in three metrics: Hamming distance, set difference, and edit distance. 
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Hamming distance (i.e., the number of bit positions that differ between w 
and w') is perhaps the most natural metric to consider. We observe that the 
“fuzzy-commitment” construction of duels and Wattenberg [15] based on error- 
correcting codes can be viewed as a (nearly optimal) secure sketch. We then apply 
our general result to convert it into a nearly optimal fuzzy extractor. While our 
results on the Hamming distance essentially use previously known constructions, 
they serve as an important stepping stone for the rest of the work. 

The set difference metric (i.e., size of the symmetric difference of two input 
sets w and w') comes up naturally whenever the biometric input is represented 
as a subset of features from a universe of possible features.'^ We demonstrate the 
existence of optimal (with respect to entropy loss) secure sketches (and therefore 
also fuzzy extractors) for this metric. However, this result is mainly of theoretical 
interest, because (1) it relies on optimal constant-weight codes, which we do not 
know how construct and (2) it produces sketches of length proportional to the 
universe size. We then turn our attention to more efficient constructions for this 
metric, and provide two of them. 

First, we observe that the “fuzzy vault” construction of duels and Sudan [16] 
can be viewed as a secure sketch in this metric (and then converted to a fuzzy 
extractor using our general result). We provide a new, simpler analysis for this 
construction, which bounds the entropy lost from w given v. Our bound on the 
loss is quite high unless one makes the size of the output v very large. We then 
provide an improvement to the duels-Sudan construction to reduce the entropy 
loss to near optimal, while keeping v short (essentially as long as w). 

Second, we note that in the case of a small universe, a set can be simply 
encoded as its characteristic vector (1 if an element is in the set, 0 if it is not), and 
set difference becomes Hamming distance. However, the length of such a vector 
becomes unmanageable as the universe size grows. Nonetheless, we demonstrate 
that this approach can be made to work efficiently even for exponentially large 
universes. This involves a result that may be of independent interest: we show 
that BCH codes can be decoded in time polynomial in the weight of the received 
corrupted word (i.e., in sublin ear time if the weight is small). The resulting secure 
sketch scheme compares favorably to the modified Juels-Sudan construction: it 
has the same near-optimal entropy loss, while the public output v is even shorter 
(proportional to the number of errors tolerated, rather than the input length). 

Finally, edit distance (i.e., the number of insertions and deletions needed to 
convert one string into the other) naturally comes up, for example, when the 
password is entered as a string, due to typing errors or mistakes made in hand- 
writing recognition. We construct a biometric embedding from the edit metric 
into the set difference metric, and then apply our general result to show such an 
embedding yields a fuzzy extractor for edit distance, because we already have 
fuzzy extractors for set difference. We note that the edit metric is quite difficult 

A perhaps unexpected application of the set difference metric was explored in [16]: 
a user would like to encrypt a file (e.g., her phone number) using a small subset of 
values from a large universe (e.g., her favorite movies) in such a way that those and 
only those with a similar subset (e.g., similar taste in movies) can decrypt it. 
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to work with, and the existence of such an embedding is not a priori obvious: for 
example, low-distortion embeddings of the edit distance into the Hamming dis- 
tance are unknown and seem hard [2] . It is the particular properties of biometric 
embeddings, as we define them, that help us construct this embedding. 

Relation to Previous Work. Since our work combines elements of error 
correction, randomness extraction and password authentication, there has been 
a lot of related work. 

The need to deal with nonuniform and low-entropy passwords has long been 
realized in the security community, and many approaches have been proposed. 
For example, Ellison et al. [10] propose asking the user a series of n personal- 
ized questions, and use these answers to encrypt the “actual” truly random se- 
cret R. A similar approach using user’s keyboard dynamics (and, subsequently, 
voice [21,22]) was proposed by Monrose et al [20]. Of course, this technique 
reduces the question to that of designing a secure “fuzzy encryption”. While 
heuristic approaches were suggested in the above works (using various forms 
of Shamir’s secret sharing), no formal analysis was given. Additionally, error 
tolerance was addressed only by brute force search. 

A formal approach to error tolerance in biometrics was taken by duels and 
Wattenberg [15] (for less formal solutions, see [8,20,10]), who provided a sim- 
ple way to tolerate errors in uniformly distributed passwords. Frykholm and 
duels [12] extended this solution; our analysis is quite similar to theirs in the 
Hamming distance case. Almost the same construction appeared implicitly in 
earlier, seemingly unrelated, literature on information reconciliation and privacy 
amplification (see, e.g., [3,4,7]). We discuss the connections between these works 
and our work further in Section 4. 

duels and Sudan [16] provided the first construction for a metric other than 
Hamming: they construct a “fuzzy vault” scheme for the set difference met- 
ric. The main difference is that [16] lacks a cryptographically strong definition 
of the object constructed. In particular, their construction leaks a significant 
amount of information about their analog of R, even though it leaves the ad- 
versary with provably “many valid choices” for R. In retrospect, their notion 
can be viewed as an (information-theoretically) one-way function, rather than 
a semantically-secure key encapsulation mechanism, like the one considered in 
this work. Nonetheless, their informal notion is very closely related to our secure 
sketches, and we improve their construction in Section 5. 

Linnartz and Tuyls [18] define and construct a primitive very similar to a 
fuzzy extractor (that line of work was continued in [28].) The definition of [18] 
focuses on the continuous space K", and assumes a particular input distribution 
(typically a known, multivariate Gaussian). Thus, our definition of a fuzzy ex- 
tractor can be viewed as a generalization of the notion of a “shielding function” 
from [18]. However, our constructions focus on discrete metric spaces. 

Work on privacy amplification [3,4], as well as work on de-randomization 
and hardness amplification [14,24], also addressed the need to extract uniform 
randomness from a random variable about which some information has been 
leaked. A major focus of research in that literature has been the development 
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of (ordinary, not fuzzy) extractors with short seeds (see [26] for a survey). We 
use extractors in this work (though for our purposes, pairwise independent hash- 
ing [3,14] is sufficient). Conversely, our work has been applied recently to pri- 
vacy amplification: Ding [9] uses fuzzy extractors for noise tolerance in Maurer’s 
bounded storage model. 

Extensions. We can relax the error correction properties of sketches and fuzzy 
extractors to allow list decoding: instead of outputting one correct secret, we can 
output a short list of secrets, one of which is correct. For many applications (e.g., 
password authentication), this is sufficient, while the advantage is that we can 
possibly tolerate many more errors in the password. Not surprisingly, by using 
list-decodable codes (see [13] and the references therein) in our constructions, we 
can achieve this relaxation and considerably improve our error tolerance. Other 
similar extensions would be to allow small error probability in error-correction, to 
ensure correction of only average-case errors, or to consider nonbinary alphabets. 
Again, many of our results will extend to these settings. Finally, an interesting 
new direction is to consider other metrics not considered in this work. 

2 Preliminaries 

Unless explicitly stated otherwise, all logarithms below are base 2. We use Ui to 
denote the uniform distribution on £-bit binary strings. 

Entropy. The min-entropy Hoo(^) of a random variable A is— log(maxa Pr(A = 
a)). For a pair of (possibly correlated) random variables A^B, a conventional 
notion of “average min-entropy” of A given B would be [Hoo(A I B = b)]. 

However, for the purposes of this paper, the following slightly modified notion 
will be more robust: we let Hoo(v4 | B) = - log (Ef,^s [2'H„„(A|B=6)j ^ ^ Namely, 
we define average min-entropy of A given B to be the logarithm of the average 
probability of the most likely value of A given B. One can easily verify that if 
B is an £-bit string, then Hoo(^ | B) > Hoo(^) — i- 

Strong Extractors. The statistical distance between two probability distri- 
butions A and B is SD (A,B) = i I = v) — Fr{B = u)|. We can now 
define strong randomness extractors [24]. 

Definition 1. An ejjicient (n, m', £, e)-strong extractor is a polynomial time 
probabilistic function Ext : {0,1}” — > {0,1}^ such that for all min-entropy m' 
distributions W, we have SD ((Ext(LF; X), AT), ([/^, AT)) < e, where Ext{W\X) 
stands for applying Ext to W using (uniformly distributed) randomness X . 

Strong extractors can extract at most £ = m' — 21og(l/e) -I- 0(1) nearly random 
bits [25]. Many constructions match this bound (see Shaltiels’ survey [26] for 
references). Extractor constructions are often complex since they seek to min- 
imize the length of the seed X. For our purposes, the length of X will be less 
important, so 2- wise independent hash functions will already give us optimal 
£ = m'-21og(l/e) [3,14]. 
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Metric Spaces. A metric space is a set A4 with a distance function dis : 
M X j \4 ^ ]&■*■ = [0, cxd) which obeys various natural properties. In this work, 
j\4 will always be a finite set, and the distance function will only take on integer 
values. The size of the A4 will always be denoted TV = |AI|. We will assume that 
any point in A4 can be naturally represented as a binary string of appropriate 
length O(logiV). 

We will concentrate on the following metrics. (1) Hamming metric. Here 
J\4 = IF” over some alphabet T (we will mainly use F = {0, 1}), and dis(?ii, w') 
is the number of positions in which they differ. (2) Set Difference metric. Here M 
consists of all s-element subsets in a universe U = [n] = {1, ...,n}. The distance 
between two sets A,B is the number of points in A that are not in B. Since 
A and B have the same size, the distance is half of the size of their symmetric 
difference: dis(A,H) = ^\AAB\. (3) Edit metric. Here again A4 = JF”, but the 
distance between w and w' is defined to be one half of the smallest number of 
character insertions and deletions needed to transform w into w' . 

As already mentioned, all three metrics seem natural for biometric data. 

Coding. Since we want to achieve error tolerance in various metric spaces, we 
will use error- correcting codes in the corresponding metric space M. A code C 
is a subset {wi, . . . , wk} of K elements of M. (for efficiency purposes, we want 
the map from i to Wi to be polynomial-time). The minimum distance of C is 
the smallest d > 0 such that for all i j we have d\s{wi,Wj) > d. In our case 
of integer metrics, this means that one can detect up to (d — 1) “errors” in 
any codeword. The error- correcting distance of C is the largest number t > 0 
such that for every w € A4 there exists at most one codeword Wi in the ball of 
radius t around w: d\s{w,Wi) < t for at most one i. Clearly, for integer metrics 
we have t = [(d— 1)/2J. Since error correction will be more important in our 
applications, we denote the corresponding codes by (AI, AT, t)-codes. For the 
Hamming and the edit metrics on strings of length n over some alphabet F, 
we will sometimes call k = log|p| K the dimension on the code, and denote the 
code itself as an [n, k,d = 2t + l]-code, following the standard notation in the 
literature. 



3 Definitions and General Lemmas 



Let M he & metric space on N points with distance function dis. 

Definition 2. An (At, m, m', t)-secure sketch is a randomized map SS : At ^ 
{0, 1}* with the following properties. 

1. There exists a deterministic recovery function Rec allowing to recover w 
from its sketch S5{w) and any vector w' close to w: for all w,w' G Ai satis- 
fying dis(w,ii;') < t, we have Rec(w', SS(w)) = w. 

2. For all random variables W over M with min-entropy m, the average min- 
entropy ofW given SS(W) is at least m' . That is, Hoo(bF | SS(kF)) > m! . 
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The secure sketch is efficient if SS and Rec run in time polynomial in the repre- 
sentation size of a point in A4. We denote the random output ofSS by SS(LL), 
or by SS(LL;X) when we wish to make the randomness explicit. 

We will have several examples of secure sketches when we discuss specific 
metrics. The quantity m — m' is called the entropy loss of a secure sketch. Our 
proofs in fact bound m — m', and the same bound holds for all values of m. 

Definition 3. An (M,m,£,t,s) fuzzy extractor is a given by two procedures 
(Gen, Rep). 

1. Gen is a probabilistic generation procedure, which on input w G A4 outputs 
an “extracted” string R € {0,1}^ and a public string P. We require that for 
any distribution W on M of min- entropy m, if {R, P) <— Gen(W), then we 
have SD {{R, P), {Ui, P)) < e. 

2. Rep is a deterministic reproduction procedure allowing to recover R from the 
corresponding public string P and any vector w' close to w: for all w,w' G A4 
satisfying dis{w,w') < t, if (R,P) ^ Gen(w), then we have Rep{w' , P) = R. 

The fuzzy extractor is efficient if Gen and Rep run in time polynomial in the 
representation size of a point in M. 

In other words, fuzzy extractors allow one to extract some randomness R from 
w and then successfully reproduce R from any string w' that is close to w. 
The reproduction is done with the help of the public string P produced during 
the initial extraction; yet R looks truly random even given P. To justify our 
terminology, notice that strong extractors (as defined in Section 2) can indeed 
be seen as “nonfuzzy” analogs of fuzzy extractors, corresponding to t = 0, P = X 
(and M = {0,1}"). 

Construction of Fuzzy Extractors from Secure Sketches. Not sur- 
prisingly, secure sketches come up very handy in constructing fuzzy extractors. 
Specifically, we construct fuzzy extractors from secure sketches and strong ex- 
tractors. For that, we assume that one can naturally represent a point w in M. 
using n bits. The strong extractor we use is the standard pairwise-independent 
hashing construction, which has (optimal) entropy loss 2 log (^). The proof of 
the following lemma uses the “left-over hash” (a.k.a. “privacy amplification”) 
lemma of [14,4], and can be found in the full version of our paper. 

Lemma 1 (Fuzzy Extractors from Sketches). Assume SS is a {A4,m, 
m' ,t)- secure sketch with recovery procedure Rec, and let Ext be the {n,m' ,£,e)- 
strong extractor based on pairwise-independent hashing (in particular, £ = m' — 
21og (}■)}. Then the following (Gen, Rep) is a {M.,m,£,t,e)-fuzzy extractor: 

- Gen{W;Xi,X 2 ): setP= {SS{W;Xi),X 2 ), R=Rxt{W;X 2 ), output {R,P). 
Rep(LF', {V,X 2 }): recover W = Rec(lF',F) and output R = Ext{W\X 2 ). 
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Remark 1. One can prove an analogous form of Lemma 1 using any strong ex- 
tractor. However, in general, the resulting reduction leads to fuzzy extractors 
with min-entropy loss 3 log (i) instead of 2 log (i) . This may happen in the case 
when the extractor does not have a convex tradeoff between the input entropy 
and the distance from uniform of the output. Then one can instead use a high- 
probability bound on the min-entropy of the input (that is, if Hoo(^|y) > m! 
then the event Hoo(-^|y = y) > rn' — log (i) happens with probability 1 — e). 

Sketches for Transitive Metric Spaces. We give a general technique 
for building secure sketches in transitive metric spaces, which we now define. A 
permutation tt on a metric space M is an isometry if it preserves distances, i.e. 
dis(a, h) — dis( 7 r(a), 7t( 6)). A family of permutations U = ^icts transitively 

on A4 if for any two elements a,b G A4, there exists Wi G U such that TTi{a) = b. 
Suppose we have a family 77 of transitive isometries for A4 (we will call such At 
transtive). For example, in the Hamming space, the set of all shifts 7Tx(w) = w(Bx 
is such a family (see Section 4 for more details on this example). 

Let C be an (A4, 77, t)-code. Then the general sketching scheme is the fol- 
lowing: given a input w G A4, pick a random codeword b G C, pick a random 
permutation tt G II such that tt{w) = b, and output S5{w) = tt. To recover w 
given w' and the sketch tt, find the closest codeword b' to and output 

TT~^{b'). This works when d\s{{,w),w') < t, because then dis((, 6 ), 71(11;')) < t, so 
decoding tt(w') will result in b' = 6, which in turn means that TT~^{b') = w. 

A bound on the entropy loss of this scheme, which follows simply from “count- 
ing” entropies, is |“7 t"| — log 77, where |“7r"| is the size, in bits, of a canonical 
description of tt. (We omit the proof, as it is a simple generalization of the proof 
of Lemma 3.) Clearly, this quantity will be small if the family 77 of transifitive 
isometries is small and the code C is dense. (For the scheme to be usable, we 
also need the operations on the code, as well as tt and 7r“^, to be implementable 
reasonably efficiently.) 

Constructions from Biometric Embeddings. We now introduce a general 
technique that allows one to build good fuzzy extractors in some metric space 
A4i from good fuzzy extractors in some other metric space M. 2 - Below, we let 
dis(-, -)j denote the distance function in Mi. The technique is to embed Mi into 
A42 so as to “preserve” relevant parameters for fuzzy extraction. 

Definition 4. A function f : Mi —>■ M 2 is called a {tiA 2 Mi M 2 ) -biometric 
embedding if the following two conditions hold: 

— V wiMi ^ -^1 such that dis(wi, w^) < ti, we have dis(/(wi), /(w 2))2 ^ ^ 2 - 

— V Wi on A4i such that Hoo(VFi) > mi, we have Hoo(/(VFi)) > m 2 . 

The following lemma is immediate: 

Lemma 2. If f is {ti,t 2 MiM 2 )-biometric embedding of Mi into M 2 o,nd 
(Gerii(-), Rep]^(-, •)) is a {M 2 M 2 , 1^12, ()- fuzzy extractor, then (Gerii(/(-)), 
Repj^(/(-), •)) is a (Ati,TOi,7,ti,e)-/u2z?/ extractor. 
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Notice that a similar result does not hold for secure sketches, unless / is injective 
(and efficiently invertible). 

We will see the utility of this particular notion of embedding (as opposed to 
previously defined notions) in Section 6. 

4 Constructions for Hamming Distance 

In this section we consider constructions for the space At = {0,1}" under the 
Hamming distance metric. 

The Code-Offset Construction, duels and Wattenberg [15] considered a 
notion of “fuzzy commitment.” ® Given a binary [n, fc, 2t -I- 1] error-correcting 
code C (not necessarily linear), they fuzzy-commit to X by publishing W 0 
C{X). Their construction can be rephrased in our language to give a very simple 
construction of secure sketches: for random X ^ {0, 1}^, set 

SS(W;X) = W®C{X). 

(Note that if W is uniform, this secure sketch direcly yields a fuzzy extractor 
with R = X). 

When the code C is linear, this is equivalent to revealing the syndrome of the 
input w, and so we do not need the randomness X . Namely, in this case we could 
have set SS{w) = syri(^(w) (as mentioned in the introduction, this construction 
also appears implicitly in the information reconciliation literature, e.g. [3,4,7]: 
when Alice and Bob hold secret values which are very close in Hamming distance, 
one way to correct the differences with few bits of communication is for Alice to 
send to Bob the syndrome of her word w with respect to a good linear code.) 

Since the syndrome of a fc-dimensional linear code is n — k bits long, it is 
clear that SS{w) leaks only n — k bits about w. In fact, we show the same is true 
even for nonlinear codes. 

Lemma 3. For any [n, k, 2t 0 1] code C and any m, SS above is a (Ad, m, m + 
k — n,t) secure sketch. It is efficient if the code C allows decoding errors in 
polynomial time. 

Proof. Let D be the decoding procedure of our code C. Since D can correct up 
to t errors, if u = w 0 C{x) and d\s{w,w') < t, then D{w' (Bv) = x. Thus, we 
can set Rec(w', v) = v(B C{D{w' 0 v)). 

Let A be the joint variable {X, W). Together, these have min-entropy m + k 
when Hoo(kL) = to. Since SS(W) G {0,1}", we have Hoo(kL, A | SS(IT)) > 
m + k — n. Now given SS(W), W and X determine each other uniquely, and so 
Hoo(kL I SS(W)) > TO 0 fc — n as well. □ 

In the full version, we present some generic lower bounds on secure sketches 
and extractors. Let A(n, d) denote the maximum number of codewords possible 

® In their interpretation, one commits to X by picking a random W and publishing 
SS(W;A). 
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in a code of distance d in {0,1}". Then the entropy loss of a secure sketch for 
the Hamming metric is at least n — log A{n, 2t + 1), when the input is uniform 
(that is, when m = n). This means that the code-offset construction above is 
optimal for the case of uniform inputs. Of course, we do not know the exact value 
of A(n, d), never mind of efficiently decodable codes which meet the bound, for 
most settings of n and d. Nonetheless, the code-offset scheme gets as close to 
optimality as is possible in coding. 

Getting Fuzzy Extractors. As a warm-up, consider the case when W is 
uniform (to = n) and look at the code-offset sketch construction: V = W®C{X). 
Setting R = X, P = V and Rep(VF',F) = D{V © W), we clearly get an 
{M,n, k,t,0) fuzzy extractor, since V is truly random when W is random, and 
therefore independent of X. In fact, this is exactly the usage proposed by Juels- 
Wattenberg, except they viewed the above fuzzy extractor as a way to use W to 
“fuzzy commit” to X, without revealing information about X . 

Unfortunately, the above construction setting R = X only works for uniform 
W, since otherwise V would leak information about X. However, by using the 
construction in Lemma 1, we get 

Lemma 4. Given any [n, k, 2t+ 1] code C and any to, e, we can get an (Af, to, 
t,e) fuzzy extractor, where I = TO+fc— n— 21og(l/e). The recovery Rep is efficient 
if C allows decoding errors in polynomial time. 



5 Constructions for Set Difference 

Consider the collection of all sets of a particular size s in a universe Id = [n] = 
{1, ..., n}. The distance between two sets A, B is the number of points in A that 
are not in B. Since A and B have the same size, the distance is half of the size of 
their symmetric difference: 5 dis(A,H) = \AAB\. If A and B are viewed as n-bit 
characteristic vectors over [n], this metric is the same as the Hamming metric 
(scaled by 1/2). Thus, the set difference metric can be viewed as a restriction of 
the binary Hamming metric to all the strings with exactly s nonzero components. 
However, one typically assumes that n is much larger than s, so that representing 
a set by n bits is much less efficient than, say writing down a list of elements, 
which requires (slogn) bits. 

Large Versus Small Universes. Most of this section studies situations 
where the universe size n is super-polynomial in the set size s. We call this the 
large universe setting. By contrast, the small universe setting refers to situations 
in which n = poly{s). We want our various constructions to run in polynomial 
time and use polynomial storage space. Thus, the large universe setting is exactly 
the setting in which the n-bit string representation of a set becomes too large to 
be usable. We consider the small-universe setting first, since it appears simpler 
(Section 5.1). The remaining subsections consider large universes. 
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5.1 Small Universes 

When the universe size is polynomial in s, there are a number of natural con- 
structions. Perhaps the most direct one, given previous work, is the construction 
of duels and Sudan [16]. Unfortunately, that scheme achieves relatively poor 
parameters (see Section 5.2). We suggest two possible constructions. The first 
one represents sets as n-bit strings and uses the constructions of the previous 
section (with the caveat that Hamming distance is off by a factor of 2 from set 
difference). 

The second construction goes directly through codes for set difference, also 
called “constant-weight” codes. A const ant- weight code is a ordinary error- 
correcting code in {0, 1}" in which all of the codewords have the same Hamming 
weight s. The set difference metric is transitive — the metric is invariant under 
permutations of the underlying universe U, and for any two sets of the same size 
A,B there is a permutation of U that maps A to B. Thus, one can use 
the general scheme for secure sketches in transitive metrics (Section 3) to get a 
secure sketch for set difference with output length about nlogn. 

The full version of the paper contains a more detailed comparison of the two 
constructions. Briefly: The second construction achieves better parameters since, 
according to currently proved bounds, it seems that constant-weight codes can 
be more dense than ordinary codes. On the other hand, explicit codes which 
highlight this difference are not known, and much more is known about efficient 
implementations of decoding for ordinary codes. In practice, the Hamming-based 
scheme is likely to be more useful. 

5.2 Modifying the Construction of Juels and Sudan 

We now turn to the large universe setting, where n is super-polynomial in s. Juels 
and Sudan [16] proposed a secure sketch for the set difference metric (called a 
“fuzzy vault” in that paper). They assume for simplicity that n = |fJ| is a prime 
power and work over the field T = GF{n). On input set A, the sketch they 
produce is a set of r pairs of points {xi,yi) in iF, with s < r < n. Of the Xi 
values, s are the elements of A, and their corresponding yi value are evaluations 
of a random degree-(s — 2t — 1) polynomial p at xp, the remaining r — s of the 
(a^i, yi) values are chosen at random but not on p. The original analysis [16] does 
not extend to the case of a nonuniform password in a large universe. However, we 
give a simpler analysis which does cover that range of parameters. Their actual 
scheme, as well as our new analysis, can be found in the full version of the paper. 
We summarize here: 

Lemma 5. The entropy loss of the Juels-Sudan scheme is at most m — m' = 
2tlogn + log C)-log (n)- 

Their scheme requires storage 2rlogn. In the large universe setting, we will 
have r n (since we wish to have storage polynomial in s). In that setting, 
the bound on the entropy loss of the Juels-Sudan scheme is in fact very large. 
We can rewrite the entropy loss as 2t log n — log (”) -I- log (") , using the identity 
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(r) (D “ (s) (r-s) ■ the entropy of A is at most (") , and so our lower bound 
on the remaining entropy is (log (^) — 2t log n) . To make this quantity large 
requires making r very large. 

Modified JS Sketches. We suggest a modification of the Juels-Sudan scheme 
with entropy loss at most 2t log n and storage s log n. Our scheme has the advan- 
tage of being even simpler to analyze. As before, we assume n is a prime power 
and work over T = GF(n). An intuition for the scheme is that the numbers 
Us+i, ■■■,yr from the JS scheme need not be chosen at random. One can instead 
evaluate them as yi = p' (xi) for some polynomial p' . One can then represent the 
entire list of pairs (xi,yi) using only the coefficients of p' . 

Algorithm 1 (Modified JS Secure Sketch). Input: a set A<ZU. 

1. Choose p() at random from the set of polynomials of degree at most k = 
s — 2t — 1 over T . 

2. Let p'O be the unique monic polynomial of degree exactly s such that 
p'{x) = p{x) for all X € A. 

(Write p'{x) = a;® -I- Qjs;*. Solve for oq, ...,as-i using the s linear con- 

straints p'{x) = p{x)^ x G A.) 

3. Output the list of coefficients of p'(), that is SS(A) = (oq, ..., Og-i). 

First, observe that solving for p'() in Step 2 is always possible, since the s 
constraints X^i=o ~ ~ linearly independent (this is just 

polynomial interpolation) . 

Second, this sketch scheme can tolerate t set difference errors. Suppose we 
are given a set ECU which agrees with A in at least s — t positions. Given 
p' = SS(A), one can evaluate p' on all the points in the set B. The resulting 
vector agrees with p on at least s — t positions, and using the decoding algorithm 
for Reed-Solomon codes, one can thus reconstruct p exactly (since k = s — 2t—l). 
Finally, the set A can be recovered by finding the roots of the polynomial p' —p: 
since p' — p is not identically zero and has degree exactly s, it can have at most 
s roots and so p' — p is zero only on A. 

We now turn to the entropy loss of the scheme. The sketching scheme invests 
(s — 2t)logn bits of randomness to choose the polynomial p. The number of 
possible outputs p' is n®. If A is the invested randomness, then the (average) 
min-entropy (A, A) given SS(A) is at least Hoo(A) — 2tlogn. The randomness 
A can be recovered from A and SS(A), and so we have Hoo(A | SS(A)) > 
Hoc (A) — 2tlogn. We have proved: 

Lemma 6 (Analysis of Modified JS). The entropy loss of the modified JS 
scheme is at most 2tlogn. The scheme has storage (s-l- 1) logn for sets of size s 
in [n\, and both the sketch generation SS() and the recovery procedure Rec() run 
in polynomial time. 

The short length of the sketch makes this scheme feasible for essentially any 
ratio of set size to universe size (we only need log n to be polynomial in s) . 
Moreover, for large universes the entropy loss 2tlogn is essentially optimal for 
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the uniform case m = log (”) . Our lower bound (in the full version) shows that 
for a uniformly distributed input, the best possible entropy loss is m — m' > 
log (”) ~ log A{n, s, At + 1), where A(n, s,d) is the maximum size of a code of 
constant weight s and minimum Hamming distance d. Using a bound of Agrell 
et al ([1], Theorem 12), the entropy loss is at least: 



m — m! > log ( ) — log A(n, s, 4t + 1) > log 



n — s + 2t 
2t 



When n> s, this last quantity is roughly 2tlogn, as desired. 



5.3 Large Universes via the Hamming Metric: Sublinear-Time 
Decoding 

In this section, we show that code-offset construction can in fact be adapted 
for small sets in large universe, using specific properties of algebraic codes. We 
will show that BCH codes, which contain Hamming and Reed-Solomon codes as 
special cases, have these properties. 

Syndromes of Linear Codes. For a [n, fc, d] linear code C with parity check 
matrix H, recall that the syndrome of a word w G {0,1}” is syn(?c) = Hw. 
The syndrome has length n — k, and the code is exactly the set of words c 
such that syn(c) = 0”“^. The syndrome captures all the information necessary 
for decoding. That is, suppose a codeword c is sent through a channel and the 
word w = c 0 e is received. First, the syndrome of w is the syndrome of e: 
syn(w) = syn(c) 0 syn(e) =00 syn(e) = syn(e). Moreover, for any value u, there 
is at most one word e of weight less than d/2 such that syn(e) = u (the existence 
of a pair of distinct words ei, 62 would mean that ei 0 62 is a codeword of weight 
less than d). Thus, knowing syndrome syn(w) is enough to determine the error 
pattern e if not too many errors occurred. 

As mentioned before, we can reformulate the code-offset construction in terms 
of syndrome: SS{w) = syn(i(;). The two schemes are equivalent: given syn(t(;) 
one can sample from w 0 C(X) by choosing a random string v with syn(u) = 
syn(w); conversely, syn(?n 0 C{X)) = syn{w). This reformulation gives us no 
special advantage when the universe is small: storing w + C{X) is not a problem. 
However, it’s a substantial improvement when n ^ n — k. 

Syndrome Manipulation for Small-Weight Words. Suppose now that 
we have a small set A C [n] of size s, where s. Let xa G {0,1}" denote the 
characteristic vector of A. If we want to use syn(a;A) as the sketch of A, then we 
must choose a code with n — k < log (") ~ s log n, since the sketch has entropy 
loss {n — k) and the maximum entropy of A is log (") . 

Binary BCH codes are a family of [n, k, d] linear codes with d = At + 1 and 
k = n — 2t logn (assuming n 0 1 is a power of 2) (see, e.g. [19]). These codes are 
optimal for t n hy the Hamming bound, which implies that k < n — log 
[19]. Using the code-offset sketch with a BCH code C, we get entropy loss n — k = 
2t logn, just as we did for the modified Juels-Sudan scheme (recall that d > At+l 
allows us to correct t set difference errors). 
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The only problem is that the scheme appears to require computation time 
J7(n), since we must compute syn(a;A) = Hxa and, later, run a decoding algo- 
rithm to recover xa- For BCH codes, this difficulty can be overcome. A word of 
small weight x can be described by listing the positions on which it is nonzero. We 
call this description the support of x and write supp(a;) (that is supp(a;A) = A)). 

Lemma 7. For a [n, k, d] binary BCH code C one ean compute: 

1. syn(a;), given supp(a;), and 

2. supp(a;), given syn(a;) (when x has weight at most {d — l)/2), 

in time polynomial in |supp(a;)| = weight{x) • log(n) and |syn(a;)| = n — k. 

The proof of Lemma 7 mainly requires a careful reworking of the standard 
BCH decoding algorithm. The details are presented in the full version of the 
paper. For now, we present the resulting sketching scheme for set difference. 
The algorithm works in the field GF(2'”) = GF{n+ 1), and assumes a generator 
a for GF{2^) has been chosen ahead of time. 

Algorithm 2 (BCH-based Secure Sketch). Input: a set A G [n] of size s, 
where n = 2"* — 1. (Here a is a generator for GF(2'"), fixed ahead of time.) 

1. Let p{x) = 

2. Output SS{A) = (p{a),p{a^),p{a^), ...,p{a^*'^^)) (computations in GF(2'")). 

Lemma 7 yields the algorithm Rec() which recovers A from SS(A) and any 
set which intersects A in at least s — t points. However, the bound on entropy 
loss is easy to see: the output is 2tlogn bits long, and hence the entropy loss is 
at most 2tlogn. We obtain: 

Theorem 1. The BCH scheme above is a [m, m—2tlogn, t] secure sketch scheme 
for set differenee with storage 2tlogn. The algorithms SS and Rec both run in 
polynomial time. 



6 Constructions for Edit Distance 

First we note that simply applying the same approach as we took for the tran- 
sitive metric spaces before (the Hamming space and the set difference space for 
small universe sizes) does not work here, because the edit metric does not seem 
to be transitive. Indeed, it is unclear how to build a permutation tt such that for 
any w' close to w, we also have close to a; = 'k{w). For example, setting 

^(y) = y®{x®w) is easily seen not to work with insertions and deletions. Sim- 
ilarly, if / is some sequence of insertions and deletions mapping w to x, it is not 
true that applying I to w' (which is close to w) will necessarily result in some 
x' close to X. In fact, then we could even get dis(w', x') = 2dis(r(;, x) + dis(w, w'). 

Perhaps one could try to simply embed the edit metric into the Hamming 
metric using known embeddings, such as conventionally used low-distorion em- 
beddings, which provide that all distances are preserved up to some small “distor- 
tion” factor. However, there are no known nontrivial low-distortion embeddings 
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from the edit metric to the Hamming metric. Moreover, it was recently proved 
by Andoni et al [2] that no such embedding can have distortion less than 3/2, 
and it was conjectured that a much stronger lower bound should hold. 

Thus, as the previous approaches don’t work, we turn to the embeddings 
we defined specifically for fuzzy extractors: biometric embeddings. Unlike low- 
distortion embeddings, biometric embeddings do not care about relative dis- 
tances, as long as points that were “close” (closer than U) do not become “dis- 
tant” (farther apart than ^ 2 )- The only additional requirement of biometric em- 
beddings is that they preserve some min-entropy: we do not want too many 
points to collide together, although collisions are allowed, even collisions of dis- 
tant points. We will build a biometric embedding from the edit distance to the 
set difference. 

A c- shingle [5], which is a length-c consecutive substring of a given string w. 
A c-shingling [5] of a string w of length n is the set (ignoring order or repetition) 
of all {n — c + 1) c-shingles of w. Thus, the range of the c-shingling operation 
consists of all nonempty subsets of size at most n— c-|-l of {0, 1}°. To simplify our 
future computations, we will always arbitrarily pad the c-shingling of any string 
w to contain precisely n distinct shingles (say, by adding the first n— |c-shingling| 
elements of {0, not present in the given c-shingling). Thus, we can define a 
deterministic map SHc(w) which maps w into n substrings of {0, l}*^, where we 
assume that c > log 2 n. Let Edit(n) stand for the edit metric over {0, 1}", and 
SDif(7V, s) stand for the set difference metric over [TV] where the set sizes are s. 
We now show that c-shingling yields pretty good biometric embeddings for our 
purposes. 

Lemma 8. For any c > log 2 n, SHc is a (ti,t 2 = cti,TOi,m 2 = mi — !ll 2 S 2 Jly 
biometric embedding 0 / Edit(n) into SDif(2“,n). 

Proof. Assume dis(tci, < ti and that I is the smallest set of 2fy inser- 

tions and deletions which transforms w into w' . It is easy to see that each 
character deletion or insertion affects at most c shingles, and thus the sym- 
metric difference between SHc(wi) and SHc(w 2 ) < 2cfy, which implies that 
dis(SHc(?ci), SHc(w 2 ))sd < cfy, as needed. 

Now, assume is any string. Define gdwi) as follows. One computes 
SHc(wi), and stores n resulting shingles in lexicographic order hi . . . hn- Next, 
one naturally partitions wi into n/c disjoint shingles of length c, call them 
ki . . . Next, for 1 < j < n/c, one sets Pc(j) to be the index i € {1 . . . n} 
such that kj = hi. Namely, it tells the index of the j-th disjoint shingle of wi in 
the ordered n-set SHc(wi). Finally, one sets gdivi) = (Pc(l) ■ ■ -Pcin/c)). Notice, 
the length of gdwi) is ^ • log 2 n, and also that wi can be completely recovered 
from SHc(wi) and gdwi). 

Now, assume Wi is any distribution of min-entropy at least mi on Edit(n). 
Since gdW) has length (nlog 2 n/c), its min-entropy is at most this much as 
well. But since min-entropy of Wi drops to 0 when given SHc(Wi) and gdWi), it 
means that the min-entropy of SHc( Wi ) must be at least m 2 > mi — (n log 2 n) / c, 
as claimed. 
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We can now optimize the value c. By either Lemma 6 or Theorem 1, for 
arbitrary universe size (in our case 2'^) and distance threshold = ct\, we can 
construct a secure sketch for the set difference metric with min-entropy loss 
2 t 2 log 2 ( 2 '^) = 2tic^, which leaves us total min-entropy = m 2 — 2tic^ > 
mi — — 2tic^. Applying further Lemma 1, we can convert it into a fuzzy 

extractor over SDif(2“,n) for the min-entropy level m 2 with error e, which can 
extract at least £ = m '2 — 2 log (^) > mi — — 2tic^ — 2 log (i) bits, while 

still correcting £2 = cti of errors in SDif(2“,n). We can now apply Lemma 2 to 
get an (Edit(n), toi, mi — — 2tic^ — 2 log (|) , ti, e)-fuzzy extractor. Let us 

now optimize for the value of c > log 2 n. We can set = 2tic^, which gives 

c = We get £ = mi — {2tin? log^ — 2 log (i) and therefore 

Theorem 2. There is an efficient (Edit(n), mi,mi — {2tiffi log^ 2 log (|) , 

ti,e) fuzzy extractor. Setting ti = mf /(16n^ log^ n), we get an efficient (Edit(n), 
mi,^ - 21og(i) , ^ g) extractor. In particular, if mi = f2(n), 

one can extract I7(n) bits while tolerating l7(n/log^n) insertions and deletions. 
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Abstract. We present a technique for Merkle tree traversal which re- 
quires only logarithmic space and time. For a tree with N leaves, our 
algorithm computes sequential tree leaves and authentication path data 
in time 21 og 2 (A) and space less than 31og2(A), where the units of com- 
putation are hash function evaluations or leaf value computations, and 
the units of space are the number of node values stored. This result is 
an asymptotic improvement over all other previous results (for example, 
measuring cost = space * time). We also prove that the complexity of 
our algorithm is optimal: There can exist no Merkle tree traversal algo- 
rithm which consumes both less than 0 (log 2 (V)) space and less than 
0(log2(A)) time. Our algorithm is especially of practical interest when 
space efficiency is required. 

Keywords: amortization, authentication path, Merkle tree, tail zipping, 
binary tree, fractal traversal, pebbling 



1 Introduction 

Twenty years ago, Merkle suggested the use of complete binary trees for pro- 
ducing multiple one-time signatures [4] associated to a single public key. Since 
this introduction, a Merkle tree [8] has been defined to be a complete binary tree 
with a k bit value associated to each node such that each interior node value is 
a one-way function of the node values of its children. 

Merkle trees have found many uses in theoretical cryptographic construc- 
tions, having been specifically designed so that a leaf value can be verified with 
respect to a publicly known root value and the authentication data of the leaf. 
This authentication data consists of one node value at each height, where these 
nodes are the siblings of the nodes on the path connecting the leaf to the root. 
The Merkle tree traversal problem is the task of finding an efficient algorithm to 
output this authentication data for successive leaves. The trivial solution of stor- 
ing every node value in memory requires too much space. On the other hand, the 
approach of computing the authentication nodes on the round they are required 
will be very expensive for some nodes. The challenge is to conserve both space 
and computation by amortizing the cost of computing such expensive nodes. 
Thus, this goal is different from other, more well known, tree traversal problems 
found in the literature. 

In practice, Merkle trees have not been appealing due to the large amount 
of computation or storage required. However, with more efficient traversal tech- 
niques, Merkle trees may once again become more compelling, especially given 
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the advantage that cryptographic constructions based on Merkle trees do not 
require any number theoretic assumptions. 

Our Contribution. We present a Merkle tree-traversal algorithm which has a 
better space and time complexity than the previously known algorithms. Specif- 
ically, to traverse a tree with N leaves, our algorithm requires computation of 
at most 21 og 2 (fV) elementary operations per round and requires storage of less 
than 3 log 2 (A'^) node values. In this analysis, a hash function computation, and 
a leaf value computation are each counted as a single elementary operation^. 
The improvement over previous traversal algorithms is achieved as a result of 
a new approach to scheduling the node computations. We also prove that this 
complexity is optimal in the sense that there can be no Merkle Tree traversal al- 
gorithm which requires both less than 0{log{N)) space and less than 0{log{N)) 
space. 

History and Related Work. In his original presentation [7], Merkle proposed 
a straightforward technique to amortize the costs associated with tree traversal. 
His method requires storage of up to log^(fV)/2 hash values, and computation 
of about 2 log(A'^) hash evaluations per round. This complexity had been con- 
jectured to be optimal. 

In [6], an algorithm is presented which allows various time-space trade-offs. 
A parameter choice which minimizes space requires a maximum storage of about 
1.5 log^ (A^)/log (log (N)) hash values, and requires 2 log (IV)/ log (log (TV)) hash 
evaluations per round. The basic logarithmic space and time algorithm of our pa- 
per does not provide for any time-space trade-offs, but our scheduling techniques 
can be used to enhance the methods of [6]. 

Other work on tree traversal in the cryptographic literature (e.g. [5]) considers 
a different type of traversal problem. Related work includes efficient hash chain 
traversal (e.g [1,2]). Finally, we remark that because the verifier is indifferent to 
the technique used to produce the authentication path data, these new traversal 
techniques apply to many existing constructions. 

Applications. The standard application of Merkle trees is to digital signatures 
[4,8]. The leaves of such a binary tree may also be used individually for au- 
thentication purposes. For example, see TESLA [11]. Other applications include 
certificate refreshal [9], and micro-payments [3,12]. Because this algorithm just 
deals with traversing a binary tree, it’s applications need not be restricted to 
cryptography. 

Outline. We begin by presenting the background and standard algorithms of 
Merkle trees (Section 2). We then introduce some notation and review the classic 
Merkle traversal algorithm (Section 3). After providing some intuition (Section 
4), we present the new algorithm (Section 5). We prove the time and space 

^ This differs from the measurement of total computational cost, which includes, e.g., 
the scheduling algorithm itself. 
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bounds in (Section 6), and discuss the optimal asymptotic nature of this result 
in (Section 7). We conclude with some comments on efficiency enhancements and 
future work. (Section 8). In the appendix we sketch the proof of the theorem 
stating that our complexity result is asymptotically optimal. 

2 Merkle Trees and Background 

The definitions and algorithms in this section are well known, but are useful to 
precisely explain our traversal algorithm. 

Binary Trees. A complete binary tree T is said to have height H if it has 2^ 
leaves, and 2^ — 1 interior nodes. By labeling each left child node with a “0” and 
each right child node with a “1” , the digits along the path from the root identify 
each node. Interpreting the string as a binary number, the leaves are naturally 
indexed by the integers in the range {0,1,. ..2^ — 1}. The higher the leaf index, 
the further to the right that leaf is. Leaves are said to have height 0, while the 
height of an interior node is the length of the path to a leaf below it. Thus, the 
root has height H, and below each node at height h, there are 2^ leaves. 

Merkle Trees. A Merkle tree is a complete binary tree equipped with a function 
hash and an assignment, <P, which maps the set of nodes to the set of /c-length 
strings: n <?(n) G {0, 1}^. For the two child nodes, nieft and Uright, of any 
interior node, Uparent, the assignment is required to satisfy 

^{nparent) = hash{<P{rHeft)\\<^{riright))- ( 1 ) 

The function hash is a candidate one-way function such as SHA-1 [13]. 

For each leaf I, the value <P{1) may be chosen arbitrarily, and then equation (1) 
determines the values of all the interior nodes. While choosing arbitrary leaf 
values (P{1) might be feasible for a small tree, a better way is to generate them 
with a keyed pseudo-random number generator. When the leaf value is the hash 
of the random number, this number is called a leaf-preimage. An application 
might calculate the leaf values in a more complex way, but we focus on the 
traversal itself and model a leaf calculation with an oracle LEAFCALC, which 
will produces <P{1) at the cost of single computational unit^. 

Authentication Paths. The goal of Merkle tree traversal is the sequential 
output of the leaf values, with the associated authentication data. For each 
height h < H, we define Authh to be the value of the sibling of the height h 
node on the path from the leaf to the root. The authentication data is then the 
set {Authi I 0 < z < H}. 

The correctness of a leaf value may be verified as follows: It is first hashed 
together with its sibling Authg, which, in turn, is hashed together with Authi, 
etc., all the way up to the root. If the calculated root value is equal to the pub- 
lished root value, then the leaf value is accepted as authentic. Fortunately, when 

^ It is straightforward to adapt the analysis to more expensive leaf value calculations. 
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the leaves are naturally ordered from left to right, consecutive leaves typically 
share a large portion of the authentication data. 

Efficiently Computing Nodes. By construction, each interior node value 
^(n) (also abbreviated <?„) is determined from the leaf values below it. The 
following well known algorithm, which we call TREEHASH, conserves space. 
During the required 2^+^ — 1 steps, it stores a maximum of /i+ 1 hash values at 
once. The TREEHASH algorithm consolidates node values at the same height 
before calculating a new leaf, and it is commonly implemented with a stack. 

Algorithm 1: TREEHASH (start, maxheight) 

1. Set leaf = start and create empty stack. 

2. Consolidate If top 2 nodes on the stack are equal height: 

• Pop node value ‘bright from stack. 

• Pop node value from stack. 

• Compute ‘Pparent = hash{‘Pleft\\‘Pright)- 

• If height of ^parent = maxheight, output parent and stop. 

• Push ^parent outo the stack. 

3. New Leaf Otherwise: 

• Compute <Pi = LEAFCALC{leaf). 

• Push 4>i onto stack. 

• Increment leaf . 

4. Loop to step 2. 



Often, multiple instances of TREEHASH are integrated into a larger algo- 
rithm. To do this, one might define an object with two methods, initialize, and 
update. The initialization step simply sets the starting leaf index, and height of 
the desired output. The update method executes either step 2 or step 3, and 
modifies the contents of the stack. When it is done, the sole remaining value on 
the stack is <P{n). We call the intermediate values stored in the stack tail node 
values. 



3 The Classic Traversal 

The challenge of Merkle tree traversal is to ensure that all node values are ready 
when needed, but are computed in a manner which conserves space and time. 
To motivate our own algorithm, we first discuss what the average per-round 
computation is expected to be, and review the classic Merkle tree traversal. 

Average Costs. Each node in the tree is eventually part of an authentication 
path, so one useful measure is the total cost of computing each node value 
exactly once. There are right (respectively, left) nodes at height h, and if 
computed independently, each costs 2^+^ — 1 operations. Rounding up, this is 
2'^+^ = 2N operations, or two per round. Adding together the costs for each 
height h {0 < h < H), we expect, on average, 2H = 21og(A) operations per 
round to be required. 
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Three Components. As with a digital signature scheme, the tree-traversal 
algorithms consists of three components: key generation, output, and verification. 
During key generation, the root of the tree, the first authentication path, and 
some upcoming authentication node values are computed. The root node value 
plays the role of a public key, and the leaf values play the role of one-time private 
keys. 

The output phase consists of N rounds, one for each leaf. During round leaf, 
the leaf’s value, <P{leaf) (or leaf pre-image) is output. The authentication path, 
{Authi}, is also output. Additionally, the algorithm’s state is modified in order 
to prepare for future outputs. 

As mentioned above, the verification phase is identical to the traditional 
verification phase for Merkle trees. 

Notation. In addition to denoting the current authentication nodes Authh, we 
need some notation to describe the stacks used to compute upcoming needed 
nodes. Define Stackh to be an object which contains a stack of node values as 
in the description of TREEHASH above. Stackh -initialize and Stackh-update 
will be methods to setup and incrementally compute TREEHASH . Addition- 
ally, define Stackh-low to be the height of the lowest node in Stackh, except 
in two cases: if the stack is empty Stackh-low is defined to be h, and if the 
TREEHASH algorithm has completed Stackh-low is defined to be oo. 



3.1 Key Generation and Setup 

The main task of key generation is to compute and publish the root value. This is 
a direct application of TREEHASH. In the process of this computation, every 
node value is computed, and, it is important to record the initial values {Authi}, 
as well as the upcoming values for each of the {Authi}. 

If we denote the j’th node at height h by Uhj, we have Authh = *h^{nh,i) 
(these are right nodes). The “upcoming” authentication node at height h is 
d^{nh,o) (these are left nodes). These node values are used to initialize Stackh to 
be in the state of having completed TREEHASH. 

Algorithm 2: Key-Gen and Setup 

1. Initial Authentication Nodes For each z G {0, 1, . . . — 1}: 

Calculate Authi = ^(^^^,l)• 

2. Initial Next Nodes For each z G {0,1,... il— 1}: Setup 
Stackh with the single node value Authi = ^(?T^i,i)- 

3. Public Key Calculate and publish tree root, <P{root). 



3.2 Output and Update (Classic) 

Merkle’s tree traversal algorithm runs one instance of TREEHASH for each 
height h to compute the next authentication node value for that level. Every 2^ 
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rounds, the authentication path will shift to the right at level h, thus requiring 
a new node (its sibling) as the height h authentication node. 

At each round the TREEHASH state is updated with two units of compu- 
tation. After 2^ rounds this node value computation will be completed, and a 
new instance of TREEEfASEf begins for the next authentication node at that 
level. 

To specify how to refresh the Auth nodes, we observe how to easily deter- 
mine which heights need updating: height h needs updating if and only if 2^ 
divides leaf + 1 evenly. Furthermore, we note that at round leaf -I- 1 -I- 2^, the 
authentication path will pass though the {leaf -I- 1 -I- 2'*)/2^’th node at height 
h. Thus, its sibling’s value, (the new required upcoming Authu) is determined 
from the 2^ leaf values starting from leaf number {leaf -I- 1 -I- 2^) 0 2^, where 0 
denotes bitwise XOR. 

In this language, we summarize Merkle’s classic traversal algorithm. 

Algorithm 3: Classic Merkle Tree Traversal 

1. Set leaf = 0. 

2. Output: 

• Compute and output <P{leaf) with LE AFC ALC {leaf). 

• For each /i G [0, Ff — 1] output {Authh}- 

3. Refresh Auth Nodes: 

For all h such that 2^ divides leaf + 1: 

• Set Authh be the sole node value in Stackh- 

• Set startnode = {leaf 0 1 0 2^) 0 2^. 

• Stackk.initialize{startnode, h). 

4. Build Stacks: 

For all /i G [0, iF — 1]: 

• Stackh .update{2). 

5. Loop: 

• Set leaf = leaf + 1. 

• If leaf < 2^ go to Step 2. 



4 Intuition for an Improvement 

Let us make some observations about the classic traversal algorithm. We see 
that with the classic algorithm above, up to H instances of TREEHASH may 
be concurrently active, one for each height less than H . One can conceptualize 
them as H processes running in parallel, each requiring also a certain amount 
of space for the “tail nodes” of the TREEHASH algorithm, and receiving a 
budget of two hash value computations per round, clearly enough to complete 
the 2^+^ — 1 hash computations required over the 2^ available rounds. 

Because the stack employed by TREEHASH may contain up to F0 1 node 

values, we are only guaranteed a space bound of 102-1 \-N. The possibility of 

so many tail nodes is the source of the Q{N‘^ / 2) space complexity in the classic 
algorithm. 
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Considering that for the larger h, the T RE EH ASH calculations have many 
rounds to complete, it appears that it might be wasteful to save so many inter- 
mediate nodes at once. Our idea is to schedule the concurrent TREEH ASH 
calculations differently, so that at any given round, the associated stacks are 
mostly empty. We chose a schedule which generally favors computation of up- 
coming Authh for lower h, (because they are required sooner) , but delays begin- 
ning of a new TREEH ASH instance slightly, waiting until all stacks {Stacki} 
are partially completed, containing no tail nodes of height less than h. 

This delay, was motivated by the observation that in general, if the com- 
putation of two nodes at the same height in different TREEH ASH stacks are 
computed serially, rather than in parallel, less space will be used. Informally, we 
call the delay in starting new stack computations “zipping up the tails” . We will 
need to prove the fact, which is no longer obvious, that the upcoming needed 
nodes will always be ready in time. 



5 The New Traversal Algorithm 

In this section we describe the new scheduling algorithm. Comparing to the 
classic traversal algorithm, the only difference will be in how the budget of 2H 
hash function evaluations will be allocated among the potentially H concurrent 
TREEH ASH processes. 

Using the idea of zipping up the tails, there is more than one way to invent 
a scheduling algorithm which will take advantage of this savings. The one we 
present here is not optimal, but it is simple to describe. For example, an earlier 
version of this work presented a more efficient, but more difficult algorithm. 

Algorithm 4: Logarithmic Merkle Tree Traversal 



1. Set leaf = 0. 

2. Output: 

• Compute and output <P{leaf) with LEAECALC{leaf). 

• For each /i G [0, iL — 1] output {Authh}- 

3. Refresh Auth Nodes: 

For all h such that 2^ divides leaf + 1: 

• Set Authh be the sole node value in Stackh- 

• Set startnode = {leaf -I- 1 -I- 2^*) 0 2^. 

• Staekk ■initialize{startnode, h). 

4. Build Stacks: 

Repeat the following 2H — 1 times: 

• Let Imin be the minimum of {Stackh-low}. 

• Let focus be the least h so Staekh-low = Imin- 

• Stack focus-update(l)- 

5. Loop: 

• Set leaf = leaf + 1. 

• If leaf < 2^ go to Step 2. 
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This version can be concisely described as follows. The upcoming needed 
authentication nodes are computed as in the classic traversal, but the various 
stacks do not all receive equal attention. Each TREEHASH instance can be 
characterized as being either not started, partially completed, or completed. Our 
schedule to prefers to complete Stackh for the lowest h values first, unless another 
stack has a lower tail node. We express this preference by defining Imin be the 
minimum of the h values {Stackh-low}, then choosing to focus our attention 
on the smallest level h attaining this minimum, (setting Stackh -low = oo for 
completed stacks effectively skips them over). 

In other words, all stacks must be completed to a stage where there are 
no tail nodes at height h or less before we start a new Stackh TREEHASH 
computation. The final algorithm is summarized in the box above. 



6 Correctness and Analysis 

In this section we show that our computational budget of 2H is indeed sufficient 
to complete every Stackh computation before it is required as an authentication 
node. We also show that the space required for hash values is less than 3H. 

6.1 Nodes Are Computed on Time 

As presented above, our algorithm allocates exactly a budget of 2H computa- 
tional units per round to spend updating the h stacks. Here, a computational 
unit is defined to be either a call to LEAFCALC, or the computation of a hash 
value. We do not model any extra expense due to complex leaf calculations. 

To prove this, we focus on a given height h, and consider the period starting 
from the time Stackh is created and ending at the time when the upcoming au- 
thentication node (denoted Needh here) is required to be completed. This is not 
immediately clear, due to the complicated scheduling algorithm. Our approach 
to prove that Needh is completed on time is to showing that the total budget 
over this period exceeds the cost of all nodes computed within this period which 
can be computed before Needh- 

Node Costs. The node Needh itself costs only 2^+^ — 1 units, a tractable 
amount given that there are 2^ rounds between the time Stackh is created, and 
the time by which Needh must be completed. However, a non trivial calculation 
is required, since in addition to the resources required by Needh, many other 
nodes compete for the total budget of 2H2^ computational units available in 
this period. These nodes include all the future needed nodes Needi, {i < h), for 
lower levels, and the 2^ output nodes of Algorithm 4, Step 2. Finally there may 
be a partial contribution to a node Needi i > h, so that its stack contains no 
low nodes by the time Needh is computed. 

It is easy to count the number of such needed nodes in the interval, and we 
know the cost of each one. As for the contributions to higher stacks, we at least 
know that the cost to raise any low node to height h must be less than 2^+^ — 1 
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(the total cost of a height h node) . We summarize these quantities and costs in 
the following figure. 



Nodes built during 2^ rounds for Needh- 



Node Type 


Quantity 


Cost Each 


Needh 


1 


2^+^ - 1 


Needh-i 


2 


2^* - 1 


Needk 


2^h—k 


2fe+i _ 1 


Needo 


2h 


1 


Output 


2h 


1 


Tail 


1 


< 2^+1 - 2 



We proceed to tally up the total cost incurred during the interval. Notice that 
the rows beginning Needg and Output require a total of computational 
units. For ever other row in the node chart, the number of nodes of a given type 
multiplied by the cost per node is less than 2^+^. There are h + 1 such rows, so 
the total cost of all nodes represented in the chart is 

TotalCosth < (/i + 2)2^. 

For heights ft, < i? — 2, it is clear that this total cost is less than 2H2^ . It is 
also true for the remaining case of h = H — 1, because there are no tail nodes in 
this case. 

We conclude that, as claimed, the budget of 2H units per round is indeed 
always sufficient to prepare Needh on time, for any 0 < h < H . 

6.2 Space Is Bounded by 3H 

Our motivation leading to this relatively complex scheduling is to use as little 
space as possible. To prove this, we simply add up the quantities of each kind 
of node. We know there are always H nodes Authh- Let C < ift be the number 
completed nodes Nexth- 



^Authi + =f^Nexti = H + C. (2) 

We must finally consider the number of tail nodes in the {Stackh}- As for 
these, we observe that since a Stackh never becomes active until all nodes in 
“higher” stacks are of height at least ft, there can never be two distinct stacks, 
each containing a node of the same height. Furthermore, recalling algorithm 
TREEHASH, we know there is at most one height for which a stack has two 
node values. In all, there is at most one tail node at each height (0 < ft < ift — 3), 
plus up to one additional tail node per non-completed stack. Thus 



^Tail<H-2 + {H-C). 



(3) 
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Adding all types of nodes we obtain: 

^Authi + ^Nexti + ij^Tail < 3H — 2. (4) 

This proves the assertion. There are at most 3H — 2 stored nodes. 

7 Asymptotic Optimality Result 

An interesting optimality result states that a traversal algorithm can never beat 
both time = 0(log(A^)) and space = 0{log{N)). It is clear that at least H — 2 
nodes are required for the TREEHASH algorithm, so our task is essentially 
to show that if space is limited by any constant multiple of log(A^), then the 
computational complexity must be l7(log(A^)). Let us be clear that this theorem 
does not quantify the constants. Clearly, with greater space, computation time 
can be reduced. 

Theorem 1. Suppose that there is a Merkle tree traversal algorithm for which 
the space is hounded by alog{N). Then there exists some constant (3 so that the 
time required is at least piog{N). 

The theorem simply states that it is not possible to reduce space complexity 
below logarithmic without increasing the time complexity beyond logarithmic! 

The proof of this technical statement is found in the appendix, but we will 
briefly describe the approach here. We consider only right nodes for the proof. We 
divide all right nodes into two groups: those which must be computed (at a cost 
of 2^+^ — 1), and those which have been saved from some earlier calculation. The 
proof assumes a sub-logarithmic time complexity and derives a contradiction. 

The more nodes in the second category, the faster the traversal can go. How- 
ever, such a large quantity of nodes would be required to be saved in order to 
reduce the time complexity to sub-logarithmic, that the average number of saved 
node values would have to exceed a linear amount! The rather technical proof in 
the appendix uses a certain sequence of subtrees to formulate the contradiction. 

8 Efficiency Improvements and Future Work 

Halving the required time. The scheduling algorithm we presented above 
is not optimally efficient. In an earlier version of this paper, we described a 
technique to half the number of required hash computations per round. The 
trick was to notice that all of the left nodes in the tree could be calculated 
nearly for free. Unfortunately, this resulted in a more complicated algorithm 
which is less appealing for a transparent exposition. 

Other Variants. A space-time trade-off is the subject of [6]. For our algorithm, 
clearly a few extra node values stored near the top of the tree will reduce total 
computation, but there are also other strategies to exploit extra space and save 
time. For Merkle tree traversal all such approaches are based on the idea that 
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during a node computation (such as that of Needi) saving some wisely chosen 
set of intermediate node values will avoid their duplicate future recomputation, 
and thus save time. 

Future work. It might be interesting to explicitly combine the idea in this 
paper with the work in [6]. One might ask the question, for any size tree, what 
is the least number of hash computations per round which will suffice, if only S 
hash nodes may be stored at one time. 

Perhaps a more interesting direction will be to look for applications for which 
an efficient Merkle tree traversal would be useful. Because the traversal algo- 
rithms are a relatively general construction, applications outside of cryptography 
might be discovered. 

Within cryptography, there is some interest in understanding which construc- 
tions would still be possible if no public- key functionality turned out to exist. 
(For example due to quantum computers). Then the efficiency of a signature 
scheme based on Merkle tree’s would be of practical interest. Finally, in any 
practical implementation designed to conserve space, it is important to take into 
consideration the size of the algorithm’s code itself. 
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A Complexity Proof 

We now begin the technical proof of Theorem 1 . This will be a proof by contra- 
diction. We assume that the time complexity is sub logarithmic, and show that 
this is incompatible with the assumption that the space complexity is 0{log{N)). 

Our strategy to produce a contradiction is to find a bound on some linear 
combination of the average time and the average amount of space consumed. 

Notation The theorem is an asymptotic statement, so we will be considering 
trees of height H = log{N), for large H. We need to consider L levels of subtrees 
of height k, where kL = H. Within the main tree, the roots of these subtrees 
will be at heights k,2 * k,3 * k . . . H . We say that the subtree is at level i if its 
root is at height {i + l)k. This subtree notation is similar to that used in [6]. 

Note that we will only need to consider right nodes to complete our argument. 
Recall that during a complete tree traversal every single right node is eventually 
output as part of the authentication data. This prompts us to categorize the 
right nodes in three classes. 

1. Those already present after the key generation: free nodes. 

2. Those explicitly calculated (e.g. with TREE HASH): computed nodes. 

3. Those retained from another node’s calculation (e.g from another node’s 
TREEEtASEt): saved nodes. 

Notice how type 2 nodes require computational effort, whereas type 1 and 
type 3 nodes require some period of storage. We need further notation to conve- 
niently reason about these nodes. Let denote the number of level i subtrees 
which contain at least 1 non-root computed (right) node. Similarly, let bt de- 
note the number of level i subtrees which contain zero computed nodes. Just by 
counting the total number of level i subtrees we have the relation. 

a, + = N/2(*+i)^ 



( 5 ) 
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Computational costs Let us tally the cost of some of the computed nodes. 
There are Oj subtrees containing a node of type 2, which must be of height 
at least ik. Each such node will cost at least 2*^+^ — 1 operations to compute. 
Rounding down, we find a simple lower bound for the cost of the nodes at level i. 

Cost > (6) 

Storage costs Let us tally the lifespans of some of the retained nodes. Measur- 
ing units of space x rounds is natural when considering average space consumed. 
In general, a saved node, S, results from a calculation of some computed node 
C, say, located at height h. We know that S has been produced before C is even 
needed, and S will never become an authentication node before C is discarded. 
We conclude that such a node S must be therefore be stored in memory for at 
least 2^ rounds. 

Even (most of) the free nodes at height h remain in memory for at least 
2?i+i rounds. In fact, there can be at most one exception: the first right node at 
level h. 

Now consider one of the bi subtrees at level i containing only free or stored 
nodes. Except for the leftmost subtree at each level, which may contain a free 
node waiting in memory less than rounds, every other node in this subtree 

takes up space for at least 2*^*+^^^ rounds. There are 2^ — 1 nodes in a subtree 
and thus we find a simple lower bound on the space x rounds. 

Space * Rounds > So~\bi - 1)(2'= - (7) 

Note that the {bi — 1) term reflects the possible omission of the leftmost level i 
subtree. 

Mixed Bounds We can now use simple algebra with Equations (5), (6), and 
(7) to yield combined bounds. First the cost is related to the bi, which is then 



related to a space bound. 

2'=Cost > (8) 

As series of similar algebraic manipulations Anally yield (somewhat weaker) very 
useful bounds. 

2^Cost + > NL. (9) 

2'^Cost + ro^-i2(*+i)'=/(2'=-i) -k Space * Rounds./ {2’^~^) > NL (10) 
2^Cost + 2N + Space * Rounds/ (2^“^) > NL. (11) 

2^ Average Cost + Average Space/ {2^~^) > (L — 2) > L/2. (12) 

(fc 2'^'^^) Average Cost + {k /2^~'^) Average Space > L/2* 2k = H. (13) 



This last bound on the sum of average cost and space requirements will allow 
us to And a contradiction. 
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Proof by Contradiction Let us assume the opposite of the statement of 
Theorem 1. Then there is some a such that the space is bounded above by 
alog{N). Secondly, the time complexity is supposed to be sub- logarithmic, so 
for every small (3 the time required is less than (3 log{N) for sufficiently large N. 

With these assumptions we are now able to choose a useful value of k. We 
pick k to be large enough so that a > l/k2^~^^. We also choose (3 to be less than 
With these choices we obtain two relations. 



{k2^'^^) Average Cost < H/2. 


(14) 


{k/2^~^) Average Space < H/2. 


(15) 



By adding these two last equations, we contradict Equation (13). 

QED. 
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Abstract. More and more software use cryptography. But how can one 
know if what is implemented is good cryptography? For proprietary soft- 
ware, one cannot say much unless one proceeds to reverse-engineering, 
and history tends to show that bad cryptography is much more frequent 
than good cryptography there. Open source software thus sounds like 
a good solution, but the fact that a source code can be read does not 
imply that it is actually read, especially by cryptography experts. In 
this paper, we illustrate this point by examining the case of a basic In- 
ternet application of cryptography: secure email. We analyze parts of 
the source code of the latest version of GNU Privacy Guard (GnuPG or 
GPG), a free open source alternative to the famous PGP software, com- 
pliant with the OpenPGP standard, and included in most GNU/Linux 
distributions such as Debian, MandrakeSoft, Red Hat and SuSE. We ob- 
serve several cryptographic flaws in GPG vl.2.3. The most serious flaw 
has been present in GPG for almost four years: we show that as soon 
as one (GPG-generated) ElGamal signature of an arbitrary message is 
released, one can recover the signer’s private key in less than a second on 
a PC. As a consequence, ElGamal signatures and the so-called ElGamal 
sign-bencrypt keys have recently been removed from GPG. Fortunately, 
ElGamal was not GPG’s default option for signing keys. 

Keywords: Public-key cryptography, GnuPG, GPG, OpenPGP, Crypt- 
analysis, RSA, ElGamal, Implementation. 



1 Introduction 

With the advent of standardization in the cryptography world (RSA PKCS [20] , 
IEEE PI 363 [14], CRYPTREC [15], NESSIE [8], etc.), one may think that there 
is more and more good cryptography. But as cryptography becomes “global”, 
how can one be sure that what is implemented in the real world is actually 
good cryptography? Numerous examples (such as [4,2,21]) have shown that the 
frontier between good cryptography and bad cryptography is very thin. For 
proprietary software, it seems difficult to make any statement unless one proceeds 
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to the tedious task of reverse-engineering. If a proprietary software claims to 
implement 2048-bit RSA and 128-bit AES, it does not say much about the 
actual cryptographic security: which RSA is being used? Could it be textbook 
RSA [5] (with zero-padding) encrypting a 128-bit AES key with public exponent 
3? Are secret keys generated by a weak pseudo-random number generator like 
old versions of Netscape [9]? Who knows if it is really RSA-OAEP which is 
implemented [21]? With proprietary software, it is ultimately a matter of trust: 
unfortunately, history has shown that there is a lot of bad cryptography in 
proprietary software (see for instance [28,12] for explanations). Open source 
software thus sounds like a good solution. However, the fact that a source code 
can be read does not necessarily imply that it is actually read, especially by 
cryptography experts. 

The present paper illustrates this point by examining the case of “perhaps 
the most mature cryptographic technology in use on the Internet” (according 
to [1]): secure email, which enables Internet users to authentify and/or encrypt 
emails. Secure email became popular in the early 90s with the appearance of 
the now famous Pretty Good Privacy (PGP) [27] software developed by Phil 
Zimmermann in the US. Not so long ago, because of strict export restrictions and 
other US laws, PGP was unsuitable for many areas outside the US. Although the 
source code of PGP has been published, it is unknown whether future versions 
of PGP will be shipped with access to the source code. 

GNU Privacy Guard [10] (GnuPG, or GPG in short) was developed in the 
late 90s as an answer to those PGP issues. GPG is a full implementation of 
OpenPGP [26] , the Internet standard that extends PGP. GPG has been released 
as free software under the GNU General Public License (GNU GPL): As such, 
full access to the source code is provided at [10], and GPG can be viewed as 
a free replacement for PGP. The German Federal Ministry of Economics and 
Technology granted funds for the further development of GPG. GPG has a 
fairly significant user base: it is included in most GNU/Linux distributions, 
such as Debian, MandrakeSoft, Red Hat and SuSE. The first stable version 
of GPG was released on September 7th, 1999. Here, we review the main public- 
key aspects of the source code of vl.2.3, which was the current stable version 
(released on August 22nd, 2003) when this paper was submitted to Eurocrypt 
’04. Our comments seem to also apply to several previous versions of GPG. 
However, we stress that our analysis is not claimed to be complete, even for the 
public-key aspects of GPG. 

We observe several cryptographic flaws in GPG vl.2.3. The most serious flaw 
(which turns out to have been present in GPG for almost four years) is related to 
ElGamal signatures: we present a lattice-based attack which recovers the signer’s 
private key in less than a second on a PG, given any (GPG-generated) ElGa- 
mal signature of a (known) arbitrary message and the corresponding public key. 
This is because both a short private exponent and a short nonce are used for the 
generation of ElGamal signatures, when the GPG version in use is between 1.0.2 
(January 2000) and 1.2.3 (August 2003). As a result, GPG-ElGamal signing keys 
have been considered compromised [19], especially the so-called primary ElGa- 
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mal sign+encrypt keys: with such keys, one signature is always readily available, 
because such keys automatically come up with a signature to bind the user iden- 
tity to the public key, thus leaking the private key used for both encryption 
and signature. Hence, ElGamal signatures and ElGamal sign-hencrypt keys have 
recently been removed from GPG (see [10] for more information). 

We notice that GPG encryption provides no chosen-ciphertext security, due 
to its compliance with OpenPGP [26], which uses the old PKGS #1 vl.5 stan- 
dard [17]: Bleichenbacher’s chosen-ciphertext attack [4] applies to OpenPGP, ei- 
ther when RSA or ElGamal is used. Although the relevance of chosen-ciphertext 
attacks to the context of email communications is debatable, we hope that 
OpenPGP will replace PKGS #1 vl.5 to achieve chosen-ciphertext security. The 
other flaws do not seem to lead to any reasonable attack, they only underline 
the lack of state-of-the-art cryptography in GPG and sometimes OpenPGP. It is 
worth noting that the OpenPGP standard is fairly loose: it gives non-negligible 
freedom over the implementation of cryptographic functions, especially regard- 
ing key generation. Perhaps stricter and less ambiguous guidelines should be 
given in order to decrease security risks. 

The only published research on the cryptographic strength of GPG we are 
aware of is [18,16], which presented chosen-ciphertext attacks with respect to the 
symmetric encryption used in PGP and GPG. The rest of the paper is organized 
as follows. In Section 2, we give an overview of the GPG software vl.2.3. In 
Section 3, we review the GPG implementation of ElGamal and present the attack 
on ElGamal signatures. In Section 4, we review the GPG implementation of 
RSA. There is no section devoted to the GPG implementation of DSA, since 
we have not found any noteworthy weakness in it. In Appendix A, we give a 
brief introduction to lattice theory, because the attack on ElGamal signatures 
uses lattices. In Appendix B, we provide a proof (in an idealized model) of the 
lattice-based attack on ElGamal signatures. 

2 An Overview of GPG vl.2.3 

GPG vl.2.3 [10] supports ElGamal (signature and encryption), DSA, RSA, AES, 
3DES, Blowfish, Twofish, GAST5, MD5, SHA-1, RIPE-MD-160 and TIGER. 
GPG decrypts and verifies PGP 5, 6 and 7 messages: It is compliant with the 
OpenPGP standard [26], which is described in REG 2440 [6]. 

GPG provides secrecy and/or authentication to emails: it enables users to 
encrypt/decrypt and/or sign/ verify emails using public-key cryptography. The 
public- key infrastructure is the famous web of trust: users certify public key of 
other users. 

GPG v.1.2.3 allows the user to generate several types of public/private keys, 
with the command gpg — gen-key: 

— Ghoices available in the standard mode: 

• (1) DSA and ElGamal: this is the default option. The DSA keys are 
signing keys, while the ElGamal keys are encryption keys (type 16 in the 
OpenPGP terminology). 
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• (2) DSA: only for signatures. 

• (5) RSA: only for signatures. 

— Additional choices available in the expert mode: 

• (4) ElGamal for both signature and encryption. In the OpenPGP termi- 
nology, these are keys of type 20. 

• (7) RSA for both signature and encryption. 

In particular, an ElGamal signing key is also an encryption key, but an ElGamal 
encryption key may be restricted to encryption. In GPG vl.2.3, ElGamal signing 
keys cannot be created unless one runs the expert mode: however, this was not 
always the case in previous versions. For instance, the standard mode of GPG 
vl.0.7 (which was released in April 2002) proposes the choices (1), (2), (4) and 
(5). 



2.1 Encryption 

GPG uses hybrid encryption to encrypt emails. A session key (of a symmet- 
ric encryption scheme) is encrypted by a public-key encryption scheme: either 
RSA or ElGamal (in a group Z*, where p is a prime number). The session key 
is formatted as specified by OpenPGP (see Figure 1): First, the session key is 
prefixed with a one-octet algorithm identifier that specifies the symmetric en- 
cryption algorithm to be used; Then a two-octet checksum is appended which is 
equal to the sum of the preceding session key octets, not including the algorithm 
identifier, modulo 65536. 



One-octet identifier of the 
symmetric encryption algorithm 



Key of the symmetric Two-octet checksum 
encryption algorithm over the key bytes 



Fig. 1. Session key format in OpenPGP. 



This value is then padded as described in PKGS#1 vl.5 block type 02 (see [17] 
and Figure 2): a zero byte is added to the left, as well as as many non-zero random 
bytes as necessary in such a way that the first two bytes of the final value are 
00 02 followed by as many nonzero random bytes as necessary, and the rest. 
Note that this formatting is applied to both RSA and ElGamal encryption, even 
though PKGS#1 vl.5 was only designed for RSA encryption. The randomness 
required to generate nonzero random bytes is obtained by a process following 
the principles of [11]. 



o 

o 


02 


Non-zero random bytes 


o 

o 


Message 



Fig. 2. PKGS#1 vl.5 encryption padding, block type 02. 
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2.2 Signature 

GPG supports the following signature schemes: RSA, DSA and ElGamal. The 
current GPG FAQ includes the following comment: As for the key algorithms, 
you should stick with the default (i.e., DSA signature and ElGamal encryption). 
An ElGamal signing key has the following disadvantages: the signature is larger, 
it is hard to create such a key useful for signatures which can withstand some real 
world attacks, you don’t get any extra security compared to DSA, and there might 
he compatihility problems with certain PGP versions. It has only been introduced 
because at the time it was not clear whether there was a patent on DSA. The 
README file of GPG includes the following comment: ElGamal for signing is 
available, but because of the larger size of such signatures it is strongly deprecated 
(Please note that the GnuPG implementation of ElGamal signatures is *not* 
insecure). Thus, ElGamal signatures are not really recommended (mainly for 
efficiency reasons), but they are nevertheless supported by GPG, and they were 
not supposed to be insecure. 

When RSA or ElGamal is used, the message is first hashed (using the hash 
function selected by the user), and the hash value is encoded as described in 
PKGS#1 vl.5 (see [17] and Figure 3): a certain constant (depending on the 
hash function) is added to the left, then a zero byte is added to the left, as well 
as as many FF bytes as necessary in such a way that the first two bytes of the 
final value are 00 01 followed by the FF bytes and the rest. With DSA, there is 



o 

o 


01 


FF bytes 


o 

o 


Constant 


Hashed message 



Fig. 3. PKGS#1 vl.5 signature padding, block type 01. 



no need to apply a signature padding, as the DSS standard completely specifies 
how a message is signed. 

The randomness required by ElGamal and DSA is obtained by a process 
following the principles of [11]. 

3 The Implementation of ElGamal 

GPG uses the same key generation for signature and encryption. It implements 
ElGamal in a multiplicative group Z* (where p is a large prime) with generator 
g. The private key is denoted by x, and the corresponding public key is y = 
g’” (mod p). 

3.1 Key Generation 

The large prime number p is chosen in such a way that the factorization of 
p — 1 is completely known and all the prime factors of (p — l)/2 have bit-length 
larger than a threshold qut depending on the requested bit-length of p. The 
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correspondance between the size of p and the threshold is given by the so-called 
Wiener table (see Figure 4): notice that iqhn is always less than the bit-length 
of p. 



Bit-length of p 


EIH 








nisra 






earn 












EEgBl 


Qbit 


QQ 




1 ^ 


1 ^ 












^1 


^1 


^1 







Fig. 4. The Wiener table used to generate ElGamal primes. 



Once p is selected, a generator g of Z* is found by testing successive potential 
generators (thanks to the known factorization ofp— 1), starting with the number 
3: If 3 turns out not to be a generator, then one tries with 4, and so on. The 
generation of the pair (p, g) is specified in the procedure generate_elg_prime 
of the file cipher/primegen. c. The generation of the pair of public and private 
keys is done in the procedure generate of the file cipher/ elgamal . c. Although 
the generator g is likely to be small, we note that because all the factors of 
(p — l)/2 have at least qbu >119 bits, and g > 2, Bleichenbacher’s forgery [3] of 
ElGamal signatures does not seem to apply here. 

The private exponent x is not chosen as a pseudo-random number modulo 
p — 1, although GPG makes the following comment: select a random number 
which has these properties: 0 < x < p — 1. This must be a very good random 
number because this is the secret part. Instead, x is chosen as a pseudo-random 
number of bit-length ‘iqbit/2, which is explained by the following comment (and 
which somehow contradicts the previous one): I don’t see a reason to have a x of 
about the same size as the p. It should be sufficient to have one about the size of 
q or the later used k plus a large safety margin. Decryption will be much faster 
with such an x. Thus, one chooses an x much smaller than p to speed-up the 
private operations. Unfortunately, we will see that this has implications on the 
security of GPG-ElGamal signatures. 

3.2 Signature 

Description. The signature of a message already formatted as an integer m 
modulo p (as decribed in Section 2.2), is the pair (a, b) where: a = g^ mod p and 
b = (to — ax)k~^ (mod p — 1). The integer A: is a “random” number coprime 
with p — 1, which must be generated at each signature. GPG verifies a signature 
(a, b) by checking that 0 < a < p and y°‘af = p™ (mod p). We note that such a 
signature verification does not prevent malleability (see [30] for a discussion on 
malleability): if (a, b) is a valid signature of to, then (a, b + u{p — 1)) is another 
valid signature of to for all integer u, because there is no range check over b. 
This is a minor problem, but there is worse. 

Theoretically, k should be a cryptographically secure random number mod- 
ulo p— 1 such that k is coprime to p — 1. Recent attacks on discrete-log signature 
schemes (see [22,2,13]) have shown that any leakage of information (or any pe- 
culiar property) on k may enable an attacker to recover the signer’s private key 
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in a much shorter time than what is usually required to solve discrete loga- 
rithms, provided that sufficiently many message/signature pairs are available. 
Intuitively, if partial information on k is available, each message/signature pair 
discloses information on the signer’s private key, even though the signatures use 
different k's: when enough such pairs are gathered, it might become possible to 
extract the private key. Unfortunately, the GPG generation of k falls short of 
such recommendations. 

The generation of k is described in the procedure gen_k of the file 
cipher/elgcunal . c. It turns out that k is first chosen with 3qbit/‘2, pseudo- 
random bits (as in the generation of the private exponent x, except that k 
may have less than Zqbit/2 bits). Next, as while as k is not coprime with p — 1, 
k is incremented. Obviously, the final k is much smaller than p, and therefore 
far from being uniformly distributed modulo p — 1: the bit-length of k should 
still be around 5qbitl‘^, while that of p is at least Aqbn- This is explained in the 
following comment: IMO using a k much lesser than p is sufficient and it greatly 
improves the eneryption performance. We use Wiener’s table and add a large 
safety margin. One should bear in mind that the same generation of k is used 
for both encryption and signature. However, the choice of a small k turns out to 
be dramatic for signature, rather than for encryption. 



Attacking GPG— ElGamal Signatures. Independently of the choice of the 
private exponent x, because k is much smaller than p — 1, one could apply the 
lattice-based attack of Nguyen-Shparlinski [22] with very slight modifications, 
provided that a few signatures are known. However, because x is so small, there 
is even a simpler attack, using only a single signature! Indeed, we have the 
following congruence: 

bk + ax = m (mod p — 1). (1) 

In this congruence, only k and x are unknowns, and they are unusually small: 
From Wiener’s table (Figure 4), we know that k and x are much smaller than 

Linear congruences with small unknowns occur frequently in public-key 
cryptanalysis (see for instance the survey [24]), and they are typically solved 
with lattice techniques. We assume that the reader is familiar with lattice the- 
ory (see Appendix A and the references of [24]). Following the classical strategy 
described in [24], we view the problem as a closest vector problem in a two- 
dimensional lattice, using lattices defined by a single linear congruence. The 
following lemma introduces the kind of two-dimensional lattices we need: 

Lemma 1. Let {a, (3) € 1? and n be a positive integer. Let d be the greatest 
common divisor of a and n. Let e be the greatest common divisor of a, (3 and 
n. Let L be the set of all {u, v) € 1? such that au + f3v = 0 (mod n). Then: 

1. L is a two-dimensional lattice in T? . 

2. The determinant of L is equal to n/e. 

3. There exists u G Z such that au {/3/e)d = 0 (mod n). 

4 . The vectors {n/d,0) and (u,d/e) form a basis of L. 
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Proof. By definition, L is a subgroup of I?, hence a lattice. Besides, L contains 
the two linearly independent vectors (n, 0) and (0,n), which proves statement 
1. Let / be the function that maps (u,v) S to au + (iv modulo n. f is a, 
group morphism between and the additive group Z„. The image of / is the 
subgroup (of Z„) spanned by the greatest common divisor of a and /?: it follows 
that the image of / has exactly n/e elements. Since L is the kernel of /, we 
deduce that the index of L in Z^ is equal to n/e, which proves statement 2. 
Statement 3 holds because the greatest common divisor of a and n is d, which 
divides the integer {(3/e)d. By definition of u, the vector (u,d/e) belongs to L. 
Obviously, the vector {n/d,0) belongs to L. But the determinant of those two 
vectors is n/e, that is, the determinant of L. This proves statement 4. □ 

We use the following lattice: 

L = {{u,v) G : bu + av = 0 (mod p — 1)}. (2) 

By Lemma 1, a basis of L can easily be found. We then compute an arbitrary 
pair {k', x') G Z^ such that bk' + ax' = m (mod p — 1). To do so, we can apply 
the extended Euclidean algorithm to express the greatest common divisor of a, b 
and p — 1 as a linear combination of a, b and p — 1. This gcd must divide m 
by (1), and therefore, a suitable multiplication of the coefficients of the linear 
combination gives an appropriate {k' ,x'). 

The vector I = (k' — k, x' — x) belongs to L and is quite close to the vector 
t = (k' — 239i>it/2-i^ j,' _ jndeed, k has about bits and x has 

exactly bits, therefore the distance between I and t is about 

which is much smaller than det(L)^/^, because from Lemma 1: 

det(L) = ^ ^ — — . 

gcd(a,&,p- 1) 

From the structure of p — 1 and the way a and b are defined, we thus expect 
det(L) to be around p. Hence, we can hope that I is the closest vector of t in 
the lattice L, due to the huge size difference between and y/p, for 

all the values of qbu given by Figure 4: this heuristic reasoning is frequent in 
lattice-based cryptanalysis, here it can however be proved if we assume that 
the distribution of a and b is uniform modulo p — 1 (see Appendix B). If Z is 
the closest vector of t, I and therefore the private exponent x can be recovered 
from a two-dimensional closest vector computation (we know t and a basis of L) . 
And such a closest vector computation can be done in quadratic time (see for 
instance [23]), using the classical Gaussian algorithm for two-dimensional lattice 
reduction. Figure 5 sums up the attack, which clearly runs in polynomial time. 

Alternatively, if one wants to program as less as possible, one can mount 
another lattice-based attack, by simply computing a shortest vector of the 4- 
dimensional lattice L' spanned by the following row vectors, where K is a large 
constant: 

/{p-l)K 0 0 0\ 

-mK 239i>«/2 0 0 

bK 0 10 

\ aK 0 0 1/ 
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Input: The public parameters and a GPG-ElGamal signature (a, b) of m. 
Expected output: The signer’s private exponent x. 

1. Compute a basis of the lattice L of (2), using statement 4 of Lemma 1. 

2. Compute {k' , x') £ 1? such that bk' + ax' = m (mod p — 1), 
using the Euclidean algorithm. 

3. Compute the target vector t = {k' — 2®'^’’"/^“^, a;' — 

4. Compute the lattice vector I closest to t in the two-dimensional lattice L. 

5. Return x' minus the second coordinate of 1 . 



Fig. 5. An attack using a single GPG-ElGamal signature. 



This shortest vector computation can be done in quadratic time using the 
lattice reduction algorithm of [23]. The lattice L' contains the short vector 
(0, /c, x) because of (1). This vector is expected to be a shortest lat- 
tice vector under roughly the same condition on qut and p as in the previous 
lattice attack (we omit the details). Thus, for all values of Wiener’s table (see 
Figure 4), one can hope to recover the private exponent x as the absolute value 
of the last coordinate of any shortest nonzero vector of L' . 

We implemented the last attack with Shoup’s NTL library [29], using the 
integer LLL algorithm to obtain short vectors. In our experiments, the attack 
worked for all the values of Wiener’s table, and the total running time was 
negligible (less than a second) . 



Practical Impact. We have shown that GPG’s implementation of the ElGamal 
signature is totally insecure: an attacker can recover the signer’s private key from 
the public key and a single message/signature pair in less than a second. Thus, 
GPG-ElGamal signing keys should be be considered compromised, as announced 
by the GPG development team [19] . There are two types of ElGamal signing keys 
in GPG: 

— The primary ElGamal sign-|-encrypt keys. When running the command 
gpg — list-keys, such keys can be spotted by a prefix of the form pub 
2048G/ where 2048 can be replaced by any possible keylength. The prefix 
pub specifies a primary key, while the capital letter G indicates an ElGamal 
sign-bencrypt key. 

— The ElGamal sign-l-encrypt subkeys. When running the command gpg 
— list-keys, such keys can be spotted by a prefix of the form sub 2048G/ 
where 2048 can be replaced by any possible keylength. The prefix sub indi- 
cates a subkey. 

The primary keys are definitely compromised because such keys automatically 
come up with a signature to bind the user identity to the public key, thus dis- 
closing the private key immediately. The subkeys may not be compromised if 
no signature has ever been generated. In both cases, it is worth noting that the 
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signing key is also an encryption key, so the damage is not limited to authentica- 
tion: a compromised ElGamal signing key would also disclose all communications 
encrypted with the corresponding public key. 

The mistake of using a small k and a small x dates back to GPG vl.0.2 (which 
was released in January 2000), when the generation of k and x was changed to 
improve performances: the flaw has therefore been present in GPG for almost 
four years. A signing key created prior to GPG vl.0.2 may still be compromised 
if a signature using that key has been generated with GPG vl.0.2 or later. 

Nobody knows how many ElGamal sign-|-encrypt keys there are. What one 
knows is the number of ElGamal sign-|-encrypt keys that have been registered 
on keyservers. According to keyserver statistics (see [19]), there are 848 regis- 
tered primary ElGamal sign-|-encrypt keys (which is a mere 0.04% percent of all 
primary keys on keyservers) and 324 registered ElGamal sign-|-encrypt subkeys: 
of course, GPG advised all the owners of such keys to revoke their keys. These 
(fortunately) small numbers can be explained by the fact that ElGamal signing 
keys were never GPG’s default option for signing, and their use was not really 
advocated. 

As a consequence, ElGamal signatures and ElGamal sign-l-encrypt keys have 
recently been removed from GPG, and the GNU/Linux distributions which in- 
clude GPG have been updated accordingly. 

3.3 Encryption 

Let m be the message to be encrypted. The message m is formatted in the way 
described in Section 2.1. The ciphertext is the pair (a, 6) where: a = mod p 
and b = my^ modp. The integer A: is a “random” number coprime with p — 1. 
Theoretically, k should be a cryptographically secure random number modulo 
p — 1 such that k is coprime to p — 1. But the generation of k is performed using 
the same procedure gen_k called by the ElGamal signature generation process. 
Thus, k is first selected with 3qbit/2 pseudo-random bits. Next, as while as k is 
not coprime with p — 1, A: is incremented. Hence, k is much smaller than p — 1. 

The security assumption for the hardness of decryption is no longer the stan- 
dard Diffie-Hellman problem: instead, this is the Diffie-Hellman problem with 
short exponents (see [25]). Because the key generation makes sure that all the 
factors of (p — l)/2 have bit-length > qbu, the best attack known to recover the 
plaintext requires at least time, which is not a real threat. 

However, the session key is formatted according to a specific padding, 
PKGS#1 vl.5 block type 02, which does not provide chosen-ciphertext secu- 
rity (see [4]). If we had access to a validity-checking oracle (which is weaker 
than a decryption oracle) that tells whether or not a given ciphertext is the 
ElGamal encryption of a message formatted with PKGS#1 vl.5 block type 02, 
we could apply Bleichenbacher’s attack [4] to decrypt any ciphertext. Indeed, 
even though Bleichenbacher’s attack was originally described with RSA, it also 
applies to ElGamal due to its homomorphic property: if (a,b) and {a',b') are 
ElGamal ciphertexts of respectively m and m', then (aa' mod p, 66' mod p) is 
an ElGamal ciphertext of mm' mod p. One could argue that a validity-checking 
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oracle is feasible in the situation where a user has configured his software to au- 
tomatically decrypt any encrypted emails he receives: if an encrypted email turns 
out not to be valid, the user would inform the sender. However, Bleichenbacher’s 
attack require a large number of oracle calls, which makes the attack debatable 
in an email context. Nevertheless, it would be better if OpenPGP recommended 
a provably secure variant of ElGamal encryption such as AGE-KEM selected by 
NESSIE [8]. 

4 The Implementation of RSA 

4.1 Key Generation 

To generate the parameters p,q,n,e,d, GPG implements the process described 
in Figure 6. Although the process does not lead to any realistic attack, it is 



Input: Bit-length k of the RSA modulus. 

1. Repeat 

2. Generate a pseudo-random prime p of fc/2 bits. 

3. Generate a pseudo-random prime q of fc/2 bits. 

4. If p > q, swap p and q. 

5. n « — pq. 

6. Until the bit-length of n is equal to fc. 

7. If 41 is coprime with pin), then e < — 41 

8. Else if 257 is coprime with pin), then e < — 257 

9. Else 

10. e « — 65537 

11. While e is not coprime with p{n), e < — e -|- 2 

12. Let d be the inverse of e modulo p(n). 



Fig. 6. The RSA key generation in GnuPG. 



worth noting that the process leaks information on the private key. Indeed, the 
value of the RSA public exponent e discloses additional information on pin). 
For instance, if we see a GPG-RSA public key with e > 65539, we know that 
pin) is divisible by the prime numbers 41, 257 and 65537: we learn a 30-bit 
factor of pin), namely 41 x 257 x 65537. However, the probability of getting 
e > 65539 after the process is very small. To our knowledge, efficient attacks 
to factor n from partial knowledge of pin) require a factor of pin) larger than 
approximately Thus, this flaw does not lead to a serious attack, since the 
probability of getting a factor > after the process is way too small. 

Nevertheless, any leakage on pin) (apart from the fact that e is coprime 
with pin)) is not recommended: if one really wants a small public exponent, one 
should rather select e first, and then generate the primes p and q until both p—1 
and q — 1 are coprime with e. 
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4.2 Encryption 

As already mentioned in Section 2, GPG implements RSA encryption as defined 
by PKGS#1 vl.5. This is not state-of-the-art cryptography: like with ElGamal, 
Bleichenbacher’s chosen-ciphertext attack [4] can decrypt any ciphertext. But, as 
mentioned in 3.3, the relevance of such attacks to the email world is debatable, 
in part because of the high number of oracle calls. We hope that future versions 
of the OpenPGP standard, will recommend better RSA encryption standards 
(see for instance PKGS#1 v2.1 [20] or NESSIE [8]). 

4.3 Signature 

GPG implements RSA signatures as defined by PKGS#1 vl.5. Again, this is not 
state-of-the-art cryptography (no security proof is known for this padding), but 
we are unaware of any realistic attack with the GPG setting, as opposed to some 
other paddings (see [7]). The RSA verification does not seem to check the range of 
the signature with respect to the modulus, which gives (marginal) malleability 
(see [30]): given a signature s of m, one can forge another signature s' of m. 
As with encryption, we hope that future versions of the OpenPGP standard will 
recommend a better RSA signature standard (see for instance PKGS#1 v2.1 [20] 
or NESSIE [8]). 
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A Lattices in a Nutshell 

We recall basic facts about lattices. To learn more about lattices, see [24] for 
a list of references. Informally speaking, a lattice is a regular arrangement of 
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points in n-dimensional space. In this paper, by the term lattice, we actually 
mean an integral lattice. 

An integral lattice is a subgroup of (Z”, +), that is, a non-empty subset L of 
Z” which is stable by subtraction: x — yGL whenever (x,y) G L^. The simplest 
lattice is Z". It turns out that in any lattice L, not just Z", there must exist 
linearly independent vectors bi,. . . ,bd G L such that: 

L = I '^Uibi I rii G Z 
U=i 

Any such d-uple of vectors bi,...,bd is called a basis of L: a lattice can be 
represented by a basis, that is, a matrix. Reciprocally, if one considers d integral 
vectors bi, ... ,bd G Z”, the previous set of all integral linear combinations of 
the bi’s is a subgroup of Z", and therefore a lattice. 

The dimension of a lattice L is the dimension d of the linear span of L: any 
basis of L has exactly d elements. It turns out that the d-dimensional volume 
of the parallelepiped spanned by an arbitrary basis of L only depends on L, 
not on the basis itself: this volume is called the determinant (or volume) of L. 
When the lattice is full-rank, that is, when the lattice dimension d equals the 
space dimension n, the determinant of L is simply the absolute value of the 
determinant of any basis. Thus, the volume of Z” is 1. 

Since our lattices are subsets of Z”, they must have a shortest nonzero vector: 
In any lattice L C Z”, there is at least one nonzero vector v G L such that no 
other nonzero lattice vector has a Euclidean norm strictly smaller than that of v. 
Finding such a vector v from a basis of L is called the shortest vector problem. 
When the lattice dimension is fixed, it is possible to solve the shortest vector 
problem in polynomial time (with respect to the size of the basis), using lattice 
reduction techniques. But the problem becomes much more difficult if the lattice 
dimension varies. In this article, we only deal with low-dimensional lattices, so 
the shortest vector problem is really not a problem. 

The lattice determinant is often used to estimate the size of short lattice 
vectors. In a typical d-dimensional lattice L, if one knows a nonzero vector 
V G L whose Euclidean norm is much smaller than det(L)^/'^, then this vector 
is likely to be the shortest vector, in which case it can be found by solving the 
shortest vector problem, because any shortest vector would be expected to be 
equal to ±v. Although this can sometimes be proved, this is not a theorem: there 
are counter-examples, but it is often true with the lattices one is faced with in 
practice, which is what we mean by a typical lattice. 

Another problem which causes no troubles when the lattice dimension is fixed 
is the closest vector problem: given a basis of L C Z” and a point t G Q", find a 
lattice vector I G L minimizing the Euclidean norm oi I — t. Again, in a typical 
d-dimensional lattice L, if one knows a vector t and a lattice vector I such that 
the norm of t — Hs much smaller than det(L)^/‘^, then I is likely to be the closest 
lattice vector of t in L, in which case I can be found by solving the closest vector 
problem. Indeed, if there was another lattice vector I' close to t, then l — V would 
be a lattice vector of norm much smaller than det(L)^/‘^: it should be zero. 
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B Proving the GPG— ElGamal Attack 

We use the same notation as in Section 3.2. Let (a,b) be an GPG-ElGamal 
signature of to. If we make the simplifying assumption that both a and b are 
uniformly distributed modulo p — 1, then the attack of Figure 5 can be proved, 
using the following lemma (which is not meant to be optimal, but is sufficient 
for our purpose): 

Lemma 2. Let e > 0. Let p be a prime number such that all the prime factors of 
{p—l)/2 are > 2'^*’“ . Let a and b be chosen uniformly at random over {0, . . . ,p — 
2}. Let L be the lattice defined by (2). Then the probability (over the choice of 
a and b) that there exists a non-zero (u,v) G L such that both |m| and |u| are 
< than: 

2796it/2+5+3£ p 

{p-l)qut 

Proof. This probability P is less than the sum of all the probabilities Pu,v, where 
the sum is over all the {u,v) yf (0,0) such that both |m| and |u| are < ^ 

and Pu^v denotes the probability (over the choice of a and 6) that {u, v) G L. Let 
(u,v) G I? be fixed and nonzero. If f = 0, there are at most 2gcd(w, (p— l)/2) 
values of b in the set {0, . . . ,p — 2} such that: 

+ au = 0 (mod (p — l)/2) (3) 



It follows that: 

n / 2gcd(u, (p- l)/2) 

Xu,0 S : • 

p- 1 

If u yf 0: for any b, there are at most 2gcd(u, (p — l)/2) values of a in the set 
{0, . . . ,p — 2} which satisfy (3), therefore: 

2gcd(u, (p- l)/2) 



Hence: 



where 






E 

0<|ll|<2^‘»bit/2 + e 



2gcd(w, (p- l)/2) 

p- 1 



E 

0<|t;|<2^'’i>iC2+s 



2gcd(u, (p- l)/2) 

p- 1 



To bound S, we split the sum in two parts, depending on whether or not 
gcd(u, (p — l)/2) > 1. If gcd(w, (p — l)/2) > 1, then gcd(w, (p — l)/2) < |m| < 
239bit/2+£ y must be divisible by a prime factor of (p — l)/2 which is neces- 
sarily > 2'^*’“: the number of such u’s is less than 2 ®'’“/^+^+®(log 2 p)/< 76 it because 
the number of prime factors of (p — l)/2 is less than {log 2 p) / qtit ■ We obtain: 
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O o3gbit/2+l+£ 

S < 239"«/2+1+= X + 2«'>“/2+l+e(log X ; 

P — I P — ^ 

^ 22qbit+3+2s p 

{p- ^)qbit 

This completes the proof since P < □ 

Because p is always much larger than 2^^'>" , the lemma shows that if e is not too 
big, then with overwhelming probability, there is no non-zero (u, v) G L such 
that both |u| and |f| are < ^<ihul'^+s ^ |.]^g closest vector of t in L, 

there would be another lattice vector I' G L closer to t: the distance between I' 
and t would be less than But then, the lattice vector (u,v) =1 — 1' 

would contradict the lemma, for some small £. Hence, I is the closest vector of 
t in T with overwhelming probability, which proves the attack. However, the 
initial assumption that both a and b are uniformly distributed modulo p — 1 is 
an idealized model, compared to the actual way a and b are generated by GPG. 
In this sense, the lemma explains why the attack works, but it does not provide 
a complete proof. 
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Abstract. This work presents a new privacy primitive called “Traceable Signa- 
tures”, together with an efficient provably secure implementation. To this end, we 
develop the underlying mathematical and protocol tools, present the concepts and 
the underlying security model, and then realize the scheme and its security proof. 
Traceable signatures support an extended set of fairness mechanisms (mecha- 
nisms for anonymity management and revocation) when compared with the tra- 
ditional group signature mechanism. The extended functionality of traceable sig- 
natures is needed for proper operation and adequate level of privacy in various 
settings and applications. For example, the new notion allows (distributed) trac- 
ing of all signatures of a single (misbehaving) party without opening signatures 
and revealing identities of any other user in the system. In contrast, if such tracing 
is implemented by a state of the art group signature system, such wide opening of 
all signatures of a single user is a (centralized) operation that requires the opening 
of all anonymous signatures and revealing the users associated with them, an act 
that violates the privacy of all users. 

To allow efficient implementation of our scheme we develop a number of basic 
tools, zero-knowledge proofs, protocols, and primitives that we use extensively 
throughout. These novel mechanisms work directly over a group of unknown 
order, contributing to the efficiency and modularity of our design, and may be of 
independent interest. The interactive version of our signature scheme yields the 
notion of “traceable (anonymous) identification.” 



1 Introduction 

A number of basic primitives have been suggested in cryptographic research to deal 
with the issue of privacy. The most flexible private authentication tool to date is “group- 
signatures,” a primitive where each group member is equipped with a signing algorithm 
that incorporates a proof of group-membership. Group-signatures were introduced by 
Chaum and Van Heyst in [14] and were further studied and improved in many ways in 
[15, 13, 7, 12, 4, 2, 25]. Each signature value is anonymous, in the sense that it only 
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reveals that the issuer is a member of the group, without even linking signatures by the 
same signer. 

Privacy comes at a price. Unconditional privacy seems to be an attractive notion 
from the user’s viewpoint, nevertheless it can potentially be a very dangerous tool 
against public safety (and can even be abused against the user herself). Undoubtedly 
everybody understands that privacy is a right of law-abiding citizens, while at the same 
time a community must be capable of revoking such privacy when illegal behavior (per- 
formed under the “mask of privacy”) is detected; this balancing act is thus called “fair- 
ness”. Group-signatures were designed with one embedded fairness mechanism which, 
in fact, allows for the “opening” of an atomic signature value, revealing the identity of 
its signer. 

We observe that while group signatures are a very general “private credentials” tool, 
their opening capability is not a sufficient mechanism to ensure safety and/or privacy in 
a number of settings. What we need is additional mechanisms for lifting of privacy con- 
ditions. It may sound paradoxical that offering more mechanisms for revoking privacy 
actually contributes to privacy; still, consider the following scenario: a certain mem- 
ber of the group is suspected of illegal activity (potentially, its identity was revealed 
by opening a signature value). It is then crucial to detect which signatures were is- 
sued by this particular member so that his/her transactions are traced. The only solution 
with the existing group signature schemes is to have the Group Manager (GM) open 
all signatures, thus violating the privacy of all (including law-abiding) group members. 
Furthermore, this operation is also scalability impairing, since the GM would have to 
open all signatures in the system and these signatures may be distributed in various 
locations. What would be desirable, instead, is to have a mechanism that allows the 
selective linking of the existing signatures of a misbehaving user without violating the 
privacy of law-abiding group members; this mechanism should be efficient (e.g. done 
in parallel by numerous agents when required). This capability, in fact, implements an 
“oblivious data mining” operation where only signature values of a selected misbehav- 
ing user are traced. Such traceability property should be offered in conjunction with the 
standard opening capability of group signatures. 

Another type of traceability, “self-traceability,” is helpful to the user and is impor- 
tant in our setting. It suggests that a user should also be capable of claiming that he is 
the originator of a certain signature value if he wishes (or when a certain application 
protocol requires this). In other words, a group-member should be capable of stepping 
out and claiming a certain group- signature value as his own, without compromising 
the privacy of the remaining past or future group-signatures that he/she issues. Adding 
self-traceability to the existing efficient solutions in group-signatures is also far from 
ideal: the user will be required to remember her private random coin-tosses for all the 
signatures she signed, which is an unreasonable user storage overhead in many settings. 
Our Notion: Motivated by the above, in this work we introduce a new basic primitive 
which we call Traceable Signatures. It incorporates the following three different types 
of traceability: (i) user tracing: check whether a signature was issued by a given user; 
it can be applied to all signatures by agents running in parallel; (ii) signature opening: 
reveal the signer of a given signature (as in group signature); and (iii) signature claim- 
ing: the signer of a signature provably claims a given signature that it has signed (in a 
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stateless fashion). When recovering all transactions by performing user tracing it may 
be useful to avoid collecting all signatures to a central location and in order to reduce 
the burden of the GM (which may be a distributed entity), we divide user tracing into 
two steps: the first is executed by the GM and reveals some secret information about 
the user; this is given to a set of designated agents (clerks) that scan all signatures in 
parallel and reveal those signed by the suspected user. Note that the secret information 
revealed should not allow the agents to impersonate the user or violate the anonymity 
of law-abiding users. 

Modeling: We model our concepts of traceable signatures and their interactive version 
(as traceable identification) and define their correctness and security. 

We introduce a novel general way of modeling privacy systems. The model in- 
cludes the dehnition of correctness and of security properties of the system. In a secu- 
rity system, like encryption, it is obvious who is the attacker and who tries to defend 
the encryption device, so adversary modeling is relatively easy. In a privacy system, 
on the other hand, a protocol between many parties may involve mutually distrusting, 
malicious users attacking each other from many sides and in various coalitions: e.g., a 
server (perhaps collaborating with a subset of some users) trying to violate the user’s 
privacy interacting with a user trying to impersonate a group member. Since in pri- 
vacy systems we deal with mutually adversarial parties, we develop a model that copes 
with this situation. The adversaries are described in the spirit that adversaries against a 
signature scheme or an encryption scheme have been dealt with in the past (i.e., by de- 
scribing attack capabilities and goals for an adversary), while the model is constructed 
with simulation-based security proofs in mind. 

To this effect, we introduce a set of queries (basic capabilities) by which adver- 
saries can manipulate the system (and the simulator during the security proof). Then 
we present an “array of security definitions,” where each definition is modeled as an ad- 
versary with partial access to the queries, representing a capability that the attack cap- 
tures. This allows us to deal with various notions of simultaneous adversarial behavior 
within one system, modeling them as an “array of attacks” and proving security against 
each of them. Specifically in our setting, we classify three general security requirements 
that cover all perceived adversarial activities: misidentification attacks, anonymity at- 
tacks and framing attacks. We note that previous intuitive security notions that have 
appeared in the group signature literature such as unforgeability, coalition-resistance 
and exculpability are subsumed by our classification. We also compare our model to 
other models. 

Constructions: Our construction is motivated by the state of the art and in particular 
by the mathematical assumptions that allow a group of users to generate a multitude of 
keys modulo a composite number that are private, namely are (partially) unknown even 
to the group manager who owns a trapdoor (prime factorization of the composite); such 
an ingenious mathematical setting was presented in [2]. Due to the refined notions of 
fairness of our model and its extended functionality, we need to introduce a number of 
new tools as well as employ a number of new cryptographic constructs that enable the 
various mechanisms that our model and scheme employ. We also note that our scheme 
is consistent with the present state-of-the-art revocation method for group signatures 
presented in [9], thus member revocation can be added modularly to our construction. 
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We remark that the user tracing (combined with the GM publishing the user’s “tracing 
trapdoor”) can be used to implement a type of “CRL-based revocation” that nullifies all 
signatures by a private key. This type of revocation has been considered recently in [3] 
(also [21] has been brought to our attention). 

In order to implement the scheme efficiently, we design a number of basic protocols 
and primitives that we use extensively throughout (as useful subroutines). A pleasing 
feature of these novel notions and protocols is that they work directly over a group of 
unknown order. We show useful properties of such groups of quadratic residues that are 
required for the security proofs. We then introduce the notion of “discrete-log relation 
sets” which is a generic way of designing zero-knowledge proof systems that allows an 
entity to prove efficiently the knowledge of a number of witnesses for any such rela- 
tion set that involves various discrete-logarithms and satisfies a condition that we call 
“triangularity.” Discrete-log relation sets are employed extensively in our protocols but, 
in fact, they are a useful as an abstraction that can be used elsewhere and are therefore 
of independent interest. We then dehne a notion called “discrete-log representations of 
arbitrary powers,” as well as a mechanism we call “drawing random powers” which is 
a two party protocol wherein one party gets a secret discrete logarithm whose value she 
does not control, while at the same time the other party gets the public key version, i.e., 
the exponentiated value. 

Based on the above primitives we present traceable signatures and prove their cor- 
rectness and security. We remark that our traceable signature scheme adds only a con- 
stant overhead to the complexity measures of the state of the art group signature scheme 
of [2]. 

Applications: One generic application of traceable signatures is transforming an anony- 
mous system to one with “fair privacy” (by combing traceable signature with the origi- 
nal system). Membership revocation of the CRL-type is also an immediate application. 

Due to lack of space proofs and many details are omitted. We refer to [24] for an 
extended version. 

Notations: The notation S{a,b) (called a sphere of radius b centered at a) where 
a,b G Z denotes the set {a — 6 -I- 1, ..., a -I- 6 — 1}. A function in w will be called 
negligible if it holds that it is smaller than any fraction of the form for any c and 
sufficiently large w; we use the notation negl(w) for such functions. The concatenation 
of two strings a, b will be denoted by a\\b. If a is a bitstring we denote by (a);,... j the 
substring (a)/ 1 1 . . . 1 1 {a)j where (a)j denotes the z-th bit of a. The cardinality of a set A, 
will be denoted by # A. If X and Y are parameterized probability distributions with the 
same support, we will write A « Y if the statistical distance between A, Y is a negli- 
gible function in the parameter. Furthermore, if / and g are functions over a variable, 
we will write / « p if their absolute distance is a negligible function in the same vari- 
able. Finally note that log denotes the logarithm base 2, PPT stands for “probabilistic 
polynomial-time,” and =df means “equal by definition.” 



2 Preliminaries 

Throughout the paper we work (unless noted otherwise) in the group of quadratic 
residues modulo n, denoted by QR{n), with n = pq and p = 2p' + 1 and q = 2q' + 1. 
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All operations are to be interpreted as modulo n (unless noted otherwise). We will em- 
ploy various related security parameters (as introduced in the sequel); with respect to 
QR{n) the relevant security parameter is the number of bits needed to represent the 
order of the group, denoted by ly =df [logp'g'J + 1. Next we define the Cryptographic 
Intractability Assumptions that will be relevant in proving the security properties of our 
constructions. 

The first assumption is the so called Strong-RSA assumption. It is similar in nature 
to the assumption of the difficulty of finding e-th roots of arbitrary elements in Z* with 
the difference that the exponent e is not fixed (part of the instance). 

Definition 1. Strong-RSA. Given a composite n and z G QR{n), it is infeasible to 
find u G Z* and e > 1 such that = z(modn), in time polynomial in u. 

The second assumption that we will employ is the Decisional Diffie-Hellman As- 
sumption over the quadratic residues modulo n; in stating this assumption we also take 
into account the fact that the exponents may belong to pre-specified integer spheres 
SC pV}. 

Definition 2. Decisional Diffie-Hellman (over 81 , 82 , B^) Given a generator g of a 
cyclic group QR{n) where n is as above, a DDH distinguisher A is a polynomial in v 
time PPT that distinguishes the family of triples of the form {g^ , g^ , g^) from the family 
of triples of the form {g^ , g^ , g^^), where x €r B\, y G_r 82 , and z €r S 3 . 

The maximum distance of these two distributions of triples as quantified over all 
possible PPT distinguishers will be denoted by Advg^^J^ if B\ = S 2 = S 3 = 

{!,... ,p'q'} we will write simply Adv^^^(i^) instead. The DDH assumption suggests 
that this advantage is a negligible function in v. 

We remark that when the size of the spheres 81,82,83 are sufficiently close to 
the order of QR{n) it will hold that Advg^^J^ 63 (^) ~ {v). Nevertheless we 

discover that the spheres can be selected to be much smaller than that without any 
degradation in security (see the remark at the end of section 3). 

Finally, we will employ the discrete-logarithm assumption over the quadratic resi- 
dues modulo n and a pre-specified sphere S, when the factorization of n is known: 

Definition 3. Discrete-Logarithm. Given two values a, b that belong to the set of 
quadratic residues modulo n with known factorization, so that 3x G 8 : = b, 

find in time polynomial in v the integer x so that a“ = b. Again 8 is an integer sphere 
into the set {1, .. . ,p'q'}. 

Conventions, our proofs of knowledge will only be proven to work properly in the 
honest-verifier setting. On the one hand, the honest-verifier setting is sufficient for pro- 
ducing signatures. On the other hand, even in the general interactive setting the honest- 
verifier scenario can be enforced by assuming the existence, e.g., of a beacon, or some 
other mechanism that can produce trusted randomness; alternatively the participants 
may execute a distributed coin flipping algorithm (which are by now standard tools 
for converting random coin honest verifier scenario to a general proof). Such proto- 
cols where the randomness that is used to select the challenge is trusted will be called 
“canonical.” 




576 Aggelos Kiayias, Yiannis Tsiounis, and Moti Yung 



3 Sphere Truncations of Quadratic Residues 

Let n be a composite so that n = pq and p = 2p' + 1 and q = 2q' + 1 with p, q, p' , q' all 
prime. Let a be a generator of the cyclic group of quadratic residues modulo n. Recall 
that the order of QR{n) is p'q'. Let S{2\ 2^") = {2^ - 2^" + 1, . . . , 2^ + 2^ - 1} be a 
sphere for two parameters f, /r G N. Observe that #5(2^, 2^) = 2^^+^ — 1. 

In this section we will prove a basic result that will be helpful later in the analy- 
sis of our scheme. In particular we will show that, assuming factoring is hard and the 
fact the sphere S'(2^, 2^) is sufficiently large (but still not very large) the random vari- 
able with X S{2^, 2^) is indistinguishable from the uniform distribution over 
QR{n) \ note that the result becomes trivial if the size of the sphere is very close to the 
order of QR{n)\ we will he interested in cases where the size of the sphere is expo- 
nentially smaller (but still sufficiently large). Intuitively, this means that a truncation of 
the QR{n) as defined by the sphere S{2^, 2^) is indistinguishable to any probabilistic 
polynomial-time observer. 

Consider the function fg^n{x) = g“(modn) defined for all x < n. The inverse 
of this function f~^ is defined for any element in QR{n) so that fahiv) ~ ^ where 
X < p'q' and it holds that a® = y(modn). Observe that x can be written as a v- 
bitstring. Note that if y is uniformly distributed over Z* it holds that every bit (x)i of x 
with i = 1, ... ,v follows a probability distribution T>^ with support the set {0, 1}. Note 
that for the 0(log v) most significant bits i it holds that the distribution is biased 
towards 0, whereas for the remaining bits the distribution PJ' is uniform; this bias is 
due to the distance between 2^ and p'q' . Below we define the simultaneous hardness of 
the bits of the discrete-logarithm function, (cf. [22]): 

Definition 4. The bits [(,... , j], I > j, of f~n are simultaneously hard if the following 
two distributions are -indistinguishable: 

- the ST>1 distribution: {{ffn(y))i,...,j^y) where y Gr QR{n). 

- the STZ\ distribution: {ri\ \ . . . \ \rj,y) where y Gr QR(ji) and Xi ^ for i = 
l,...,j. 

Hastad et al. [22] studied the simultaneous hardness of of the discrete-logarithm 
over composite groups and one of their results imply the following theorem: 

Theorem 1. The bits [v, . . . , j] of ffl^ are simultaneously hard under the assumption 
that factoring n is hard, provided that j = [f 1 ~ 0(log u). 

Now let us return to the study of the subset of QR{n) defined by the sphere S{2^, 2^). 
Consider the uniform probability distribution U over QR{n) and the probability distri- 
bution 'Da^'^ ^ with support QR{n) that assigns the probability 1/(2^+^ — 1) to all 

elements a" with x G S' (2^, 2^) and probability 0 to all remaining elements of the 
support. The main result of this section is the following theorem: 

Theorem 2. The probability distributions T>a ^ ’ ' and lA with support QR(n) are 
PPT-indistinguishable under the assumption that factoring n is hard, provided that 
#S(2^2^) = 
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Remark. The results of this section suggest that we may truncate the range of a ran- 
dom variable a“, x Gr {1, . . . ,p'q'}, into a subset of QR{n) that is of size ap- 
proximately y/p'q'', this truncation will not affect the behavior of any polynomial- 
time bounded observer. In particular, for the case of the Decisional Diffie Heilman 
assumption in QR{n) over the spheres 81 , 82 , B 3 , we may use spheres of size ap- 
proximately y/p'q'~, under the assumption that factoring is hard, we will still main- 
tain that 63 (^) ~ (v). In some few cases we may need to employ 

the DDH over spheres that are smaller in size than \/p'q' (in particular we will em- 
ploy the sphere 82 to be of size approximately ^p'q'). While the DDH over such 
sphere selection does not appear to be easier it could be possible that this version of 
DDH is a stronger intractability assumption. Nevertheless we remark that if we as- 
sume that factoring remains hard even if of bits of the prime factors of n are 

known"^ then as stated in [22] approximately 3/4 of the bits of f~^ are simultaneously 
hard and thus, using the methodology developed in this section, we can still argue that 
Advg^^J^ 63 (^) ~ Adv^^^ ( r), even if 82 is of size approximately ^p'q' . 

4 Discrete-Log Relation Sets 

Discrete-log relation sets are quite useful in planning complex proofs of knowledge 
for protocols operating over groups of unknown order in general. We note that special 
instances of such proofs have been investigated individually in the literature, see e.g. 
[12, 1 l](also, various discrete-log based protocols over known and unknown order sub- 
groups have been utilized extensively in the literature, [16, 19, 17]). Our approach, that 
builds on this previous work, homogenizes previous instantiations in the context of sig- 
natures into a more generic framework. Below, let G be the unknown order group of 
quadratic residues modulo n, denoted also by QR{n). 

Definition 5. A discrete-log relation set R with z relations over r variables and m 
objects is a set of relations defined over the objects Ai, . . . , Am G G and the free 
variables ai, . . . ,<Xr with the following specifications: (1) The i-th relation in the set 
R is specified by a tuple {a\, . . . , off so that each a* is selected to be one of the 
free variables {cti, . . . , or an element ofL. The relation is to be interpreted as 

= 1. (2) Every free variable aj is assumed to take values in a finite integer 
range S{ 2 ^t ^ 2^^' ) where £j, Pj > 0. 

Vke will write R{a\, . . . , ar) to denote the conjunction of all relations Iljli ~ 

1 that are included in R. 

Below we will design a 3-move honest verifier zero-knowledge proof (see e.g. [16]) 
that allows to a prover that knows witnesses xi, . . . ,Xr such that R{x\ , . . . ,Xr) = 1 to 
prove knowledge of these values. We will concentrate on a discrete-log relation sets that 
have a specific structure that is sufficient for our setting: a discrete-log relation set R is 
said to be triangular, if for each relation i involving the free variables , awi , ■ ■ ■ , 
it holds that the free-variables a^i , ■ ■ ■ , otwb contained in relations 1 , ... ,i — 1- 

Efficient factorization techniques are known when at least [:^/3] bits of the prime factors of n 

are known, [22]. 
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Proof of knowledge for a Discrete-Log Relation Set R 

objects Ai , . . . , Am, r free-variables ai, . . . , Ur, parameters: e > 1, A; £ N, 

Each variable aj takes values in the range S{2 ^^ , 2^^ ) 

V proves knowledge of the witnesses Xj G 5'(2^J , s.t. R{x \, . . . , Xr) = 1 



V V 

forw £ {1, . . . ,r} select £_r rb{0, 

fori£ = c£h{ 0, l}*^ 



for w £ {1, , r} set s™ = — c • (xw — 2^”) 



Verify: 
for w £ {1, ... , r} 

for i £ {1, ... , z} 



n,: 



AS^ 

j:3w,a'^.=aiu 3 



— Hj: 



A"^ Y 



Fig. 1. Proof of Knowledge for a Discrete-Log relation set R. 



Theorem 3. For any triangular discrete-log relation set R the 3 -move protocol of fig- 
ure 1 is a honest verifier zero-knowledge proof that can be used by a party (prover) 
knowing a witness for R to prove knowledge of the witness to a second party (verifier). 

We remark that the proof assumes that the prover is incapable of solving the Strong- 
RSA problem; under this assumption the cheating probability of the prover is 1/2^. 
Regarding the length of the proof we note that the proof requires the first communication 
flow from the prover to the verifier to be of size z QR(n) elements (where z is the 
number of relations in R) and the second communication flow from the prover to the 
verifier to be of total bit-length + k) 1). 

Below, for a sphere S{2^, 2^), the notation S^{2^, 2'') =df S{2^, 2‘^~^) will be 
called the innersphere of 5(2^, 2^) for parameters e,k. 

5 Discrete Log Representations of Arbitrary Powers 

In this section we introduce and present some basic facts about “discrete log represen- 
tations of arbitrary powers” inside the set of Quadratic Residues QR(n) where n. We 
will define three spheres A, F, M inside the set {0, . . . , 2“^ — 1} so that the following 
conditions are satished: 

[Si.] (min 7”)^ > maxT. [S2.] M has size approximately equal to 2 . [S3.] min > 

max M max A -\- max A -\- max M. This set of conditions is attainable as shown by the 
following possible selection; for simplicity, we assume that u is divisible by 4: yl = 
S'(2 t“ 1, note that if A = 2^ — 1 and max A = 2t — 1. M = S(2^~^, 2^~^), 
note that ffM = 2^ — 1 and maxM = 2^^ — 1. = S(2^ -f 2^“^, 2^ “^), note that 

ifr = 2^ — 1, mini^ = 2^ -f 1 > maxvlmaxM -f maxTl -f maxM = 2^ — 1. 

In the exposition below we use some hxed values qq, a,b G QR(n). 
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Definition 6. A discrete-log representation of an arbitrary power is a tuple {A, e : 
X, x') so that it holds with x,x' € A and e G F. 

In this work we will be interested in the following computational problem; 

o The One-more Representation Problem. Given n,ao,a,b and K discrete-log represen- 
tations of arbitrary powers find “one-more” discrete-log representation of an arbitrary 
power inside QR{n). 

The theorem below establishes that solving the One-more representation problem 
cannot be substantially easier than solving the Strong-RSA problem. We remark that a 
variant of this problem and of the theorem below has been proposed and proved in a 
recent work of Camenisch and Lysyanskaya [10] (without the sphere constraints). Note 
that the sphere constraints that we employ will allow shorter membership certificates 
later on, thus contributing in the efficiency of the general design. 

Theorem 4. Fix oq, a, 6 € QR{n) and spheres A, M, T satisfying the above proper- 
ties. Let Jvi be a PPT algorithm that given K discrete-log representations of arbitrary 
powers inside QR{n) it outputs a different discrete-log representation of an arbitrary 
power inside QR(n) with non-negligible probability a. Then, the Strong-RSA problem 
can be solved with non-negligible probability at least aj2K. 



6 Non-adaptive Drawings of Random Powers 

Consider the following game between two players A and B : player A wishes to select a 
random power a“ so that x Gr S{2^, 2^) where a G QR{n). Player B wants to ensure 
that the value x is selected “non-adaptively” from its respective domain. The output 
specifications of the game is that player A returns x and that player B returns a®. Player 
B is assumed to know the factorization of n. In this section we will carefully model and 
implement a protocol for achieving this two-player functionality. The reader is referred 
to [20] for a general discussion of modeling secure two-party computations. 

In the ideal world the above game is played by two Interactive TM’s (ITM’s) Aq, Bq 
and the help of a trusted third party ITM T following the specifications below. We note 
that we use a special symbol _L to denote failure (or unwillingness to participate); if an 
ITM terminates with any other output other than _L we say that it accepts; in the other 
case we say it rejects. From all the possible ways to implement Aq , Bq one is considered 
to be the honest one; this will be marked as Aq , Bq and is also specified below. 

0. The modulus n is available to all parties and its factorization is known to Bq. The 
sphere S{2^, 2^) is also public and fixed. 

1. Aq sends a message in {go, _L} to T. Aq transmits go. 

2. Bq sends a message in {go, _L} to T. Bq transmits go. 

3. If T receives go from both parties, it selects x Gr S{2^, 2^) and returns x to Aq; 
otherwise T transmits _L to both parties. 

4. Aq selects a value C G and transmits either C or _L to T. Aq transmits C = 
a® mod n. 
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5. T verifies that = C(modn) and if this is the case it transmits C to both play- 
ers. Otherwise, (or in the case Ag transmitted _L in step 4), T transmits _L to both 
players. Bq terminates by returning C or _L in the case of receiving _L from T. 
Similarly Aq terminates by returning x, or _L in the case of receiving _L from T. 

Let I my =df (^0 7 Bq) be two ITM’s that implement the above protocol with the 
help of the ITM T. We define by (inityi(i/)) and OUTg^^(inits(i^)) be the 

output probability distributions of the two players. Note that init^(j/) contains the ini- 
tialization string of player A which contains the modulus n, and the description of the 
sphere S{2^, 2^); similarly inits(i^) is defined as init^(j/) with the addition of the fac- 
torization of n. Below we will use the notation IDEAL''^^ (iriA, ins) to denote the pair 
(OUT|^^^(znA), OUT'^^^ (ms)). Finally, we denote by Im^ the pair (Aq,Bq). 

The goal of a protocol for non-adaptive drawing of random powers is the simula- 
tion of the trusted third party by the two players. Let Im = (Ai,Bi) be a two-player 
system of interactive TM’s that implement the above game without interacting with the 
trusted third party T. As above we will denote by OUT^^ (iriA) the output probability 
distribution Ai, and likewise for OUT'^^ (zns). Also we denote by REAL''^(in^, ins) 
the concatenation of these two distributions. 

Definition 7. (Correctness) An implementation \m = {Ai, Bi) for non-adaptive draw- 
ings of random powers is correct if the following is true: 

REAh''^(zn^, zns) « IDEAL''^^ {inA,inB) 

where iuA initA(j^) and ins ^ init_B(z^). Intuitively the above definition means that 
the implementation Im should achieve essentially the same output functionality for the 
two players as the ideal honest implementation. 

Defining security is naturally a bit trickier as the two players may misbehave arbi- 
trarily when executing the prescribed protocol implementation Im = (Ai, Bf). 

Definitions. (Security) An implementation \m = {Ai, Bf) for non-adaptive drawings 
of random powers is secure if the following is true: 

VA* 3A* REAL<^i’'®i>(m^,ms) « IDEAL<'^o’'®<?>(mA,ms) 

VB* 3Bl REAL<^i’-®i>(mA,mB) « IDEAL<'^"-®«>(m^,ms) 

where inA *— and ins ^ Intuitively the above definition means that 

no matter what adversarial strategy is followed by either player it holds that it can be 
transformed to the ideal world setting without affecting the output distribution. 

Having defined the goals, we now take on the task of designing an implementation 
Im without a trusted third party; below we denote by fh =df #5(2^, 2^) = 2^^+^ — 1. 

1 . The two players read their inputs and initiate a protocol dialog. 

2. Player A selects x Gr Z^, f Gr {0,...,rz^ — 1} and transmits to player B the 
value Cl = g^h^{modn) and C 2 = y’’(modn). 
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3 . Player A engages player B in a proof of knowledge for the discrete-log relation set 
(— 1 , 0 , X, f, 0 ) and ( 0 , — 1 , 0 , 0 , f) over the objects Ci,C2,g, h, y. Observe that the 
relation set is triangular. 

4 . Player B selects y 1 >m and transmits y to A. 

5 . Player A computes x' = x + y(modm) and transmits to player B the value = 

a® . 

6. Player A engages player B in a proof of knowledge for the discrete-log relation set 
(—1, 0, a, /?, 7, 0, 0), (0, —1, 0, 0, 0, 0, 0,7), (0, 0, —1, 0, 0, 0, a, 0) over the objects 
Cig^, C2, C3, g, g*”, h, a, y (observe again, that the relation set is triangular). 

7 . Player A engages with player B to a tight interval proof for C3 ensuring that 
logjj C3 G Zm (treating as an integer range); this is done as described in [6]. 

8. Player A outputs x := x' + 2 ^ — 2 ^^ + \ and Player B outputs C := 



Theorem 5. The above protocol implementation for non-adaptive drawing of random 
powers is correct and secure ( as in definitions 7 and 8) under the Strong-RSA and DDH 
assumptions. 



1 Traceable Signatures and Identification 

In this section we describe the traceable signature syntax and model, focusing first on 
the interactive version, called a traceable identification scheme. Traceable identification 
employs seven sub-protocols Setup, Join, Identify, Open, Reveal, Trace, Claim that are 
executed by the active participants of the system, which are identified by the Group 
Manager (GM), a set of users and other non-trusted third parties called tracers. 

Setup (executed by the GM). For a given security parameter v, the GM produces a 
publicly-known string pkg^ and some private string sk^^vi to be used for user key 
generation. 

Join (a protocol between a new user and the GM). In the course of the protocol the GM 
employs the secret-key string skgj^. The outcome of the protocol results in a mem- 
bership certificate cert^ that becomes known to the new user. The entire Join protocol 
transcript is stored by the GM in a database that will be denoted by Jtrans. This is a 
private database and each Join transcript contains also all the coin tosses that were used 
by the GM during the execution. 

Identify (traceable identification) It is a proof system between a prover and a verifier 
with the user playing the role of the prover and the verifier played by any non-trusted 
third party. The Identify protocol is a proof of knowledge of a membership certificate 
certi. In our setting, we will restrict the protocol to operate in 3 rounds, with the verifier 
selecting honestly a random challenge of appropriate length in the second round. 

Open (invoked by the Trustee) A PPT TM which, given an Identify protocol transcript, 
the secret-key sk^^vr and access to the database Jtrans it outputs the identity of the 
signer. 

Reveal (invoked by the GM) A PPT TM which, given the Join transcript for a user i, it 
outputs the “tracing trapdoor” for the user i denoted by tracer . 
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Trace (invoked by designated parties, called tracers). A PPT TM which, given an Identify 
protocol transcript tt and the tracing trapdoor of a certain user tracer, checks if tt was 
produced hy user i. 

Claim. It is a proof system between a prover and a verifier where the role of the prover 
is played hy the user and the role of the verifier is played by any claim recipient. In 
our setting, the Claim protocol is a proof of knowledge that hinds to a given Identify 
protocol transcript and employs the membership certificate cert^ of the user. As in the 
case of Identify protocol we restrict Claim to he a 3-round protocol so that in round 2 
the verifier selects honestly a random challenge of appropriate length. 

Definition 9. (Correctness for traceable identification) A traceable identification 
scheme with security parameter v is correct if the following four conditions are sat- 
isfied (with overwhelming probability in v). Let Identify^(pkg^) be the distribution 
o/ldentify protocol transcripts generated by userlA and ClaimiY(Tr) the distribution of 
Claim protocol transcripts generated by user hi for an Identify protocol transcript tt. 

(1) Identify-Correctness: The Identify protocol is a proof of knowledge of a mem- 
bership certificate for the public -key pk^ that satisfies completeness. 

(2) Open-Correctness: 0pen(skg7V(, Jtrans, Identify^) =U. 

(3) Trace-Correctness: Trace(Reveal(Z^, Jtrans), Identify^^) = true and for any 
W yf U. Trace(Reveal (U, Jtrans), Identify^^/) = false. 

(4) Claim-Correctness: The Claim protocol over the Identify transcript tt, is a 
proof of knowledge of the membership certificate embedded into tt that satisfies 
completeness. 

Given an traceable identification scheme as described above, we will derive a trace- 
able signature by employing the Fiat-Shamir transformation [18]. 



7.1 Security Model for Traceable Schemes 

In this section we formalize the security model for traceable schemes. To claim security 
we will define the notion of an interface X for a traceable scheme which is a PTM that 
simulates the operation of the system. The purpose behind the definition of X is to cap- 
ture all possible adversarial activities against a traceable scheme in an intuitive way. As 
in the previous section, we will focus first on traceable identification. We model the se- 
curity of a traceable identification scheme as an interaction between the adversary A and 
an entity called the interface. The interface maintains a (private) state denoted by statex 
(or simply state) and communicates with the adversary over a handful of pre-specified 
query actions that allow the adversary to learn information about statex; these queries 
are specified below. The initial state of the interface is set to statex = 

The interface also employs an “internal user counter” denoted by n which is initialized 
to 0. Moreover three sets are initialized , C/“, C/**, C/’’ to 0. Note that statex is also as- 
sumed to contain IJP,U‘^,U^, U'" and n. Finally the interface employs two other strings 
denoted and initialized as follows: Jtrans = e and Itrans = e. The various query action 
specifications are listed below: 
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- (Qpub)- The interface returns the string (n, pk^^). This allows to an adversary to 
learn the public-information of the system, i.e., the number of users and the public- 
key information. 

- (Qkey)- The interface returns skgj^; this query action allows to the adversary to 
corrupt the group-manager. 

- (Qp-join)- The interface simulates the Join protocol in private, increases the user 
count n by 1, and sets state := statex||(n,transcriptn, certn). It also adds n into 
C/P and sets Jtrans := Jtrans||(n,transcript„). 

This query action allows to the adversary to introduce a new user to the system (that 
is not adversarially controlled). 

- (Qa-join)- The interface initiates an active Join dialog with the adversary; the in- 
terface increases the user count n by 1, and assumes the role of the GM where the 
adversary assumes the role of the prospective user. If the dialog terminates success- 
fully, the interface sets statex := statex||(n,transcriptn, J_). It hnally adds n into 
the set C/“ and Jtrans := Jtrans||(n, transcript^). 

This query action allows to the adversary to introduce an adversarially controlled 
user to the system. The adversary has the chance to interact with the GM through 
the Join dialog. 

- (Qb-join)- The interface initiates an active Join dialog with the adversary; the in- 
terface increases the user count n by 1 and assumes the role of the prospective user 
and the adversary assumes the role of the GM. If the dialog terminates successfully 
the interface sets statex := statexi | (n, J_, certn). It also adds n into U^. 

This query allows the adversary to introduce users to the system acting as a GM. 

- ( Qid , *) ■ The interface parses statex and to recover an entry of the form (i, • , certi) ; 
then it produces an Identify protocol transcript using the certihcate certi and se- 
lecting the veriher challenge at random; if no such entry is discovered or if i G [/“ 
the interface returns J_. Finally, if tt is the protocol transcript the interface sets 
Itrans = ltrans||(f,7r). 

- (Qreveai, *)■ The interface returns the output of Reveal(f, Jtrans) and places i G C/’’. 

Sometimes we will write to restrict the interface from revealing users in A. 

Note that this query returns J_ in case user i does not exist or z G U^. 

Given the above definition of an interface we proceed to characterize the various 
security properties that a traceable scheme should satisfy. We will use the notation 
T[a, Qi, . . . , Qr] to denote the operation of the interface with (initial) state a that re- 
sponds to the query actions Qi, ■ ■ ■ , Qr (s. subset of the query actions dehned above). 
In general we assume that the interface serves one query at a time: this applies to the 
queries Qa-join and Qb-join that require interaction with the adversary (i.e., the inter- 
face does not allow the adversary to cascade such queries). For a traceable identification 
scheme we will denote by iV the verifier algorithm for the canonical Identify 3-move 
protocol as well as by cV the verifier algorithm of the canonical Claim 3-move protocol. 

Our dehnition of security, stated below, is based on the definitions of the three 
named security properties in the coming subsections. 

Definition 10. A traceable scheme is said to be secnre provided that it satisfies security 
against misidentification, anonymity and framing attacks. 
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Regarding traceable signatures, we note that we model security using canonical 
3-move proofs of knowledge and passive impersonation-type of attacks; we remark 
that identification security in this type of model facilitates the employment of the Fiat- 
Shamir transform for proving signature security; thus, proving security for the inter- 
active version will be sufficient for ensuring security of the traceable signature in the 
random oracle model following the proof techniques of [ 1 ] . 



Misidentification Attacks. In a misidentification attack against a traceable scheme, 
the adversary is allowed to control a number of users of the system (in an adaptive 
fashion). The adversary is also allowed to observe and control the operation of the sys- 
tem in the way that users are added and produce identification transcripts. In addition, 
the adversary is allowed to invoke Qreveai, i-C-, participate in the system as a tracer. The 
objective of the adversary can take either of the following forms: (i) produce an identifi- 
cation transcript that satisfies either one of the following properties: (ia): the adversarial 
identification transcript does not open to any of the users controlled by the adversary, or 
(ib): the adversarial identification transcript does not trace to any of the users controlled 
by the adversary. Alternatively, (ii) produce a claim for an Identify transcript of one of 
the users that he does not control (in the set [/^). We will formalize this attack using the 
experiment presented in figure 2. 



ExPmis(i^) : 



statei = (pkg^,skgAi) ^ Setup(R); 

{S,d,pl) ^ _42:[statex.Spub.Qp-join.Sa-join.Sid,S,eveal]('fj|.gt^ 

p 2 A(second, d, pi, c); 
if iV(pkg^,pi,c, P 2 ) = true and 

if Open(skgAi, Jtrans, pi) ^ U°‘ 

or Ai6!7“Trace(Reveal(i, Jtrans), pi, c, P 2 ) = false 
then output 1 

else if sis such that (i, s) e Itrans and i € 17^ U 17'' 
and cV(s, pi, c, P 2 ) = true then output 1 
else output 0 



Fig. 2. The misidentification experiment 



We will say that a traceable identification scheme satisfies security against misiden- 
tification if for any PPT A, it holds that Prob[Exp(^i 5 (z 2 ) = 1] = negl(r^). 



Anonymity Attacks An anonymity attack is best understood in terms of the following 
experiment that is played with the adversary A who is assumed to operate in two phases 
called play and guess. In the play phase, the adversary interacts with the interface, intro- 
duces users in the system, and selects two target users he does not control; then receives 
an identification transcript that corresponds to one of the two at random; in the guess 
stage the adversary tries to guess which of the two produced the identification transcript 
(while accessing the system but without revealing the challenge transcripts). We remark 
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that we allow the adversary to participate in the system also as a tracer (i.e., one of the 
agents that assist in the tracing functionality). The experiment is presented in figure 3. 
A traceability scheme is said to satisfy anonymity if for any attacker A it holds that 
|Prob[Exp^„„„(i/) = 1] - i| = negl(j/). 






statei = {pkg^,skgAi) ^ Setup(l‘'); 

{d,io,il) ^ _42:[statex.Sp„i,,Qp_join.Sa-join.Qid,S,eveal]('p|ay^ I*'); 
if io or ii belong to 17“ U 17^ output _L. 

parse statei and find the entry (*6, transcriptj^^ , certi^). 
execute the Identify protocol for certi^ to obtain (pi, c, p 2 ). 

&* ^ _4lb‘a‘=I.2pub,Sp_join,Sa-join,Sid.S^Jpa‘l '■'^(gUeSS, {pl,C,p2))\ 

if 6 = then output 1 else output 0. 



Fig. 3. The anonymity attack experiment 



Framing Attacks A user may be framed by the system in two different ways: the GM 
may construct a signature that opens or trace to an innocent user, or it may claim a 
signature that was generated by the user. We capture these two framing notions with the 
experiment described in figure 4 (we remark that “exculpability” of group signatures 
[2] is integrated in this experiment). 



ExPfK*^) : 



[statei = (pkg^,skg>i) ^ Setup(l'"); 

(s,d,pi) ^ ^ibt=‘=i.Spub.Ske„Qb-joi„, Sid] (first, r); 

p 2 ^ 7l(second, d, pi, c); 
if iV(pkg^,pi,c,p 2 ) = true and 
if Open(skpAi, Jtrans, pi) G 

or 3i G : Trace(Reveal(i, Jtrans), pi, c, P 2 ) = true 
then output 1 

else if sis such that (i, s) G Itrans and i G 17*” 
and cV(s, pi, c, P 2 ) = true then output 1 
else output 0 



Fig. 4. The framing attack experiment 



A traceable scheme satisfies security against framing provided that for any proba- 
bilistic polynomial-time 7l it holds that Prob[Exp)f 3 (j 2 ) = 1] = negl(j 2 ). 



Comments (i) In modeling misidentification and anonymity attacks we do not allow 
the adversary to submit “open signature” queries to the interface. This models the fact 




586 Aggelos Kiayias, Yiannis Tsiounis, and Moti Yung 



that opening a signature is an internal operation performed by the GM. On the con- 
trary, this is not assumed for the tracing operation, since we model it as a distributed 
operation whose results are made available to distributed agents (and thus the Qreveai 
oracle query is available to the adversary). Allowing opening oracles to be part of the 
adversarial control is possible, but will require our encryptions and commitments to be 
of the chosen ciphertext secure type. 

(ii) Misidentification and Framing in traceable schemes capture two perspectives of 
adversarial behavior: in the first case the adversary does not corrupt the GM (and thus 
does not have at its disposal the GM’s keys) and attempts to subvert the system. In 
the second case, the adversary is essentially the system itself (controls the GM) and 
attempts to frame innocent users. We find that the distinction of these two perspectives 
is important in the terms of our modeling of traceable signatures and as we see they rely 
on different intractability assumptions. 

(iii) It is worth noting here the comparison of our model to previous approaches to for- 
mal modeling of primitives related to traceable signatures, in particular identity escrow 
and group signatures. Camenisch and Lysyanskaya [8] formalize security in identity 
escrow schemes based on a real vs. ideal model formulation, whereas our approach is 
more along the lines of security against adversaries of signature schemes with adversar- 
ial system access capabilities and adversarial goals in mind. Bellare et al. [5] provide 
a formal model for a relaxed group signature scenario where a dealer is supposed to 
run the user key-generation mechanism (rather than the user itself interactively with 
the group manager via the Join protocol). Our approach, employing active interaction 
between the adversary and the interface that represents the system (and simulates it in 
a security proof), is more suitable for the traceable schemes setting, which, in turn, fol- 
lows the setting and attacks considered in [2] (where the group manager enters users 
into the system and, at the same time, he lacks full knowledge of the joining users’ 
keys). 

8 Design of a Traceable Scheme 

Parameters. The parameters of the scheme are e G K with e > 1, fc G N as well as 
three spheres A, M, F satisfying the properties presented in 5; Below we will denote 
by Ag , and F^ the inner spheres of A, M and F w.r.t. the parameters e, k . 

Setup The GM generates two primes p', q' with p = 2p' -f 1, g = 2q' + 1 also primes. 
The modulus is set to n = pq. The spheres A, M, T are embedded into {0, . . . ,p'q' — 1}. 
Also the GM selects a, uq, b,g, h Gr QR{n) of order p'q' . The secret-key shg^vt of 
the GM is set to p, q. The public -key of the system is subsequently set to pkg^ := 
{n,a,ao,b,y,g,h). 

Join (a protocol executed by a new user and the GM). The prospective user and the GM 
execute the protocol for non-adaptive drawing a random power x' G over b (see 
section 6) with the user playing the role of player A and the GM playing the role of 
player B ; upon successful completion of the protocol the user obtains a;' and the GM 
obtains the value Ci = b^* . 

Subsequently the GM selects a random prime G F^ and Xi G A^ and then 
computes Ai = (Cia®‘oo)®» (modn) and sends to the user the values {Ai,ei,Xi) . 
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The user forms the membership certificate as certi := {Ai,ei,Xi,x'^ . Observe that 
{Ai,Ci : Xi,x'^) is a discrete-log representation of an arbitrary power in QR{n) (see 
section 5); furthermore observe that the portion of the certificate Xi is known to the GM 
and will be used as the user’s tracing trapdoor. 

Identify. To identify herself a user hrst computes the values, 



Ti = A,y\ T2 = 5", Ts = ^ = g\ Tq = g' 



:'jk' rp k' 

" 1 J-7 — 9 



where r, k, k' Gr M. Subsequently the user proceeds to execute the proof of knowledge 
of the following triangular discrete-log relation set dehned over the objects g, h, y, ag, a, 
b, T 4 , T 5 , Te, T 7 and the free variables are x, x' G A^, e G , r, h' . 



g h (T2)-i Ts T7 y (Ti)-i a b ao n T4 Tq 1 



T2 = : r 0 1 

T3 = g^h^ : e r 0 

T| = g>^' :h' 0 e 

= Ti-. 0 0 0 

Tf = Tg : 0 0 0 

aoa^h^'y'^' = Tf : 0 0 0 
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Observe that the above proof of knowledge ensures that the values Ti, ... ,Ty are prop- 
erly formed and “contain” a valid certihcate. In particular the above proof not only 
enforces the certihcate condition A'^* = a^a^'b^' but also the fact that Ci G F and 

Xi,x^ G A. 

Open, (invoked by the GM) Given a Identify transcript (pi,c, P2) and all Join tran- 
scripts the GM does the following: it parses pi for the sequence (Ti, . . . , T7) and com- 
putes the value A = {T 2 )~^Ti. Then it searches the membership certihcates {Ai,ei) 
(available from the Join transcripts) to discover the index i such that A = Ap, the index 
i identihes the signer of the message. 

Reveal, (invoked by the GM) Given the Join transcript of the z-th user the GM parses 
the Join transcript to recover the tracing trapdoor tracer := Xi. 

Trace, (invoked by any agent/clerk) Given the value tracer and an Identify protocol 
transcript (pi, c, P2) the agent parses the sequence (Ti, T2, Tg, T4, T5, Tq, T^) from pi; 
subsequently it checks whether this is the case the agent concludes that 

user z is the originator of the given Identify protocol transcript. 

Claim, (invoked by the user) Given an Identify protocol transcript that was generated 
by user z and contains the sequence (Ti, T2, T3, T4, T5, Tg, T7), the user z can claim 
that he is the originator as follows: he initiates a proof of knowledge of the discrete-log 
of Tg base T-j (which is a discrete-log relation set, see section 4). As a side-note, we 
remark here that if the proof is directed to a specihc entity the proof can be targeted 
to the receiver using a designated verifier proof, see [23]; such proofs can be easily 
coupled with our proofs of knowledge for discrete-log relation sets. 



Theorem 6. The traceable identification scheme above is correct according to defini- 
tion 9 and secure according to definition 1 0 . In particular it satisfies ( i ) security against 
misidentification attacks based on the Strong-RSA and the DDH assumptions; (ii) se- 
curity against anonymity attacks based on the DDH assumption; (Hi) security against 
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framing attacks based on the discrete-logarithm problem over QR(n) when the factor- 
ization ofn is known. 

9 Applications 

One immediate application of traceable signatures is membership revocation of the 
CRL-type. Another motivation for traceable signatures is the development of a generic 
way to transform any system S that provides anonymity into a system that provides 
“fair” or conditional anonymity taking advantage of the various traceability procedures 
we developed. An anonymity system is comprised of a population of units which, de- 
pending on the system’s function, exchange messages using anonymous channels. An 
anonymity system fairness allows the identification of the origin of messages, as 
well as the tracing of all messages of a suspect unit, if this is mandated by the au- 
thorities. A sketch of the idea of using traceable signatures to transform any such an 
anonymous system into a system with fair anonymity is as follows: each unit of the 
anonymous system becomes a member of a traceable signature system; any message 
that is sent by a unit must be signed using the traceable signature mechanism. Messages 
that are not accompanied by a valid traceable signature are rejected by the recipients. 
This simple transformation is powerful and generic enough to add “fair” anonymity to 
a large class of anonymous systems (for example mix-networks). 
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Abstract. We propose a practical abuse-resilient transaction escrow 
scheme with applications to privacy-preserving audit and monitoring of 
electronic transactions. Our scheme ensures correctness of escrows as 
long as at least one of the participating parties is honest, and it ensures 
privacy and anonymity of transactions even if the escrow agent is cor- 
rupt or malicious. The escrowed information is secret and anonymous, 
but the escrow agent can efficiently hnd transactions involving some user 
in response to a subpoena or a search warrant. Moreover, for applica- 
tions such as abuse-resilient monitoring of unusually high levels of certain 
transactions, the escrow agent can identify escrows with particular com- 
mon characteristics and automatically (i.e., without a subpoena) open 
them once their number has reached a pre-specified threshold. 

Our solution for transaction escrow is based on the use of Verifiable 
Random Functions. We show that by tagging the entries in the escrow 
database using VRFs indexed by users’ private keys, we can protect 
users’ anonymity while enabling efficient and, optionally, automatic de- 
escrow of these entries. We give a practical instantiation of a transaction 
escrow scheme utilizing a simple and efficient VRF family secure under 
the DDH assumption in the Random Oracle Model. 



1 Introduction 

Massive collection of personal and business data is increasingly seen as a nec- 
essary measure to detect and thwart crime, fraud, and terrorism. For example, 
all U.S. banks must report transactions over $10,000. Regulations of the U.S. 
Securities and Exchange Commission effectively require financial firms to store 
all emails in case they are subpoenaed in some future investigation. Government 
authorities often demand that financial transactions, internal corporate commu- 
nications, and so on be escrowed with law enforcement or regulatory agencies in 
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such a way that the escrow agency can open the data pertaining to some user 
within the time period for which a subpoena or search warrant has been issued, 
or mine the collected data without a warrant for evidence of suspicious activity. 

Existing techniques. Information stored in the escrow agency’s database must 
be protected both from abuse by the escrow agency’s employees and from exter- 
nal attacks. Unfortunately, existing escrow schemes sacrifice either user privacy, 
or efficiency of the escrow operation. Moreover, existing techniques allow mining 
of the escrowed data for evidence of suspicious activity only by letting the escrow 
agency de-escrow any entry at will. 

Key escrow techniques [Mic92, KL95] implicitly assume that escrowed data 
are tagged by the key owner’s identity or address. This enables efficient de-escrow 
of a subset of records pertaining to some user {e.g., in response to a subpoena), 
but fails to protect anonymity of records against malicious employees of the 
escrow agency who can learn the number and timing of transactions performed 
by a given person, find correlations between transactions of different people, and 
so on. On the other hand, if escrows are not tagged, then there is no efficient 
procedure for opening the relevant escrows in response to a subpoena. Each entry 
in the escrow database must be decrypted to determine whether it involves the 
subpoenaed user. This is prohibitively inefficient, especially if the decryption key 
of the escrow agency is shared, as it should be, among a group of trustees. 

Our contribution. We propose a verifiable transaction escrow (VTE) scheme 
which offers strong privacy protection and enables efficient operation of the es- 
crow agent. Our scheme furnishes transaction participants with a provably secure 
privacy guarantee which we call category-preserving anonymity. We say that two 
transactions belong to the same category if and only if they were performed by 
the same user and are of the same type {e.g., both are money transfers). An 
escrow scheme is category-preserving anonymous if the only information about 
any two transactions that the (malicious) escrow agent can learn from the corre- 
sponding escrow entries is whether the transactions fall into the same category 
or not. The agent cannot learn which category either transaction belongs to. 

Of course, a malicious participant may reveal the transaction to the escrow 
agent. However, regardless of the user’s transactions with dishonest parties who 
leak information to the escrow agent, all of his transactions with honest parties 
remain private in the sense of category-preserving anonymity — even if they 
belong to the same category as compromised transactions. While it does not 
provide perfect anonymity, category-preserving anonymity seems to give out no 
useful information, especially if transaction volume is high. (If volume is low, 
there may be undesirable information leaks, e.g., the escrow agent may observe 
that only one category is ever used, and deduce that only one user is active.) 

We present a VTE scheme with two variants. The first variant has an inexpen- 
sive escrow protocol, but does not achieve full category-preserving anonymity. 
The privacy guarantees it does offer might be acceptable in practice, however. 
The second variant achieves category-preserving anonymity at the cost of adding 
an expensive cut-and-choose zero-knowledge proof to the escrow protocol. 
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Our VTE scheme supports both (1) efficient identification and opening of 
escrows in response to a subpoena, and (2) efficient automatic opening of escrows 
that fall into the same category once their number reaches some pre-specified 
threshold. The scheme is also tamper-resistant in the sense that a malicious 
escrow agent cannot add any valid-looking escrows to the database. Finally, our 
scheme ensures correctness of the escrow entry as long as at least one participant 
in the escrowed transaction is honest. Note that there is no way to ensure escrow 
of transactions between parties who cooperate in concealing the transaction. 

Our scheme employs Verifiable Random Functions. We show that by tagging 
entries in the escrow database using VRFs indexed by users’ private keys, we en- 
able efficient and, if necessary, automatic de-escrow (disclosure) of these entries, 
while providing category-preserving anonymity for the users. We instantiate our 
scheme with a practical construction based on a simple and efficient (shareable) 
VRF family secure under the DDH assumption in the Random Oracle Model. 

Applications. A VTF scheme can be used in any scenario where transaction 
data must be escrowed but should remain private and anonymous. For example, 
a financial regulatory agency may collect escrows of all money transfers to ensure 
availability of evidence for future investigations of money laundering. Unless a 
court warrant is obtained, the agency should not be able to extract any useful 
information from the escrows, not even participants’ identities. At the same 
time, the automatic opening capability of our VTF scheme can also support a 
scenario where the agency needs to identify all transfers which are made from 
the same account and share the same type, e.g., all involve a certain organization 
or country, or more than a certain amount. These transactions should be secret 
and anonymous until their number reaches a pre-specified threshold, in which 
case the authority gains the ability to extract all corresponding plaintexts. 

Related work. The problem of efficient classification and opening of escrows is 
related to the problem of search on encrypted data [SWPOO, BCOP03]. In the 
latter problem, however, there is no notion of a malicious user who submits in- 
correct ciphertexts or interferes with record retrieval. Moreover, their techniques 
require the user to generate search-specific trapdoors, while we are also inter- 
ested in scenarios where the escrow agent is able to open all escrows in a given 
category not because he received some category-specific trapdoor but because 
the number of escrows within a category reached a pre-specific threshold. 

Paper organization. In section 2, we define verifiable transaction escrow and 
describe its security properties. In section 3, we present the simpler variant 
of our VTF construction, which is practical but does not achieve full category- 
preserving anonymity. In section 4, we present another variant which does achieve 
category-preserving anonymity, but employs an expensive cut-and-choose zero- 
knowledge protocol. In section 5, we show how to extend either construction to 
support automatic de-escrow capability. For lack of space, we omit all proofs 
from these proceedings. The full version of the paper, including all proofs, will 
be made available on eprint [JS04]. 
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2 Definition of a Verifiable Transaction Escrow Scheme 

A Verifiable Transaction Escrow (VTE) system involves an escrow Agent and 
any number of users. We assume that each transaction occurs between a User 
and a Counterparty. The two roles are naturally symmetric (users may act as 
counterparties for each other), but in some applications the escrow agent may 
only be interested in monitoring users {e.g., bank clients), but not the counter- 
parties (banks). 

We assume that each transaction is adequately described by some bitstring m, 
and that there is a public and easily computable function Type, where Type{m) 
of transaction m is application-specific, e.g., “this transaction is a money trans- 
fer,” or “this transaction is a money transfer between $1,000 and $10,000.” The 
category of a transaction is the (user identity, type) pair. 

2.1 Basic Properties of a Verifiable Transaction Escrow Scheme 

A VTE scheme is a tuple {AKG, UKG,U\,A,U2, C, U3, J) of the following prob- 
abilistic polynomial-time (PPT) algorithms: 

• AKG and UKG are key generation algorithms, which on input of a security 
parameter r generate, respectively. Agent’s key pair {kA,pkA) and, for each User, 
key pair (ku,pku). 

• (Ui, A) are interactive algorithms which define an escrow protocol. Its aim is to 
add an escrow of a transaction to the Agent’s database in exchange for a receipt 
which will be later verified by the transaction Counterparty. The protocol runs 
between User (Ui) and Agent (A), on public input of Agent’s public key pkA. 
User’s private input is {ki/,m), where m is the transaction description. Agent’s 
private input is {kA, D) where D is the state of Agent’s escrow database. User’s 
output is a receipt rcpt, and Agent’s output is an escrow item e, which defines 
a new state of Agent’s database as D' = DLl {e}. 

• (U2,G) are interactive algorithms which define a verification protocol. Its aim 
is for the Counterparty to verify the receipt certifying that the transaction was 
properly escrowed with the Agent. The protocol runs between User {U2) and 
Counterparty (C), on public input (j>ku, m,pkA). User’s private input is ku, rcpt. 
Counterparty outputs decision d = accept/reject. 

• (C/ 3 , J) is a pair of interactive algorithms which defines a subpoena protocol. Its 
aim is to identify all transactions of a given type in which the user participated, 
and only those transactions. The protocol runs between User (C/ 3 ) and a public 
Judge (J), on public inputs {pku,T,D), where pkjj,T identify the (user,type) 
category to be subpoenaed, and D is Agent’s database. User’s private input 
is kij. Judge has no private inputs. Algorithm J outputs M, which is either 
a symbol contempt if the User refuses to cooperate, or a (possibly empty) list 
{mi, m2, ...) of transactions of type T involving user pkjj. 

Completeness. If parties follow the protocol, then every escrowed transaction 
can be de-escrowed in the subpoena. In other words, for all keys {kA,pkA) and 
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(ku,pku) generated by AKG and UKG, and for every m,D,D', if {Ui{ku, 
m),A{kA,D)){pkA) outputs (rcpt,e) then {U2{ku ,rcpt),G){pku ,m,pkA) out- 
puts d = accept and {Uz{ku), J){pku^Type{m),D'[J{e}) outputs M s.t. m S M. 

For notational convenience, we define predicate Prop{e, m,pku) to be true if 
and only if {U^{ku)^ J){pku,Type{m), D' U {e}) outputs M s.t. m G M. 

Verifiability. The escrow agent receives a correct escrow of the transaction as 
long as at least one party in the transaction is honest. In particular, a malicious 
User has only negligible probability^ of getting an honest Counterparty to ac- 
cept in an escrow protocol unless the User gives to the Agent a proper escrow. 
Formally, for every PPT algorithms U*,U2, for every D,m, 

Pr[ Prop{e,m,pku) \ {kA,pkA) ^ AKG{V)] (ku,pku) ^ UKG{P); 

{rcpt*,e) ^ {U*{ku,m),A{kA,D)){pkA); 
accept ^ {U2{rcpt*),G) {pku,m,pk a) ] > 1 — negl(r) 



Efficient and unavoidable subpoena. The subpoena procedure is unavoid- 
able in the sense that the user is either publicly identified as refusing to cooperate, 
or all entries in the escrow database which involve the user and the specified type 
are publicly revealed. Namely, for every PPT algorithm U^, for every D\ m, e, 
for T = Type{m), 

Pr[M = contempt V m G M | (kA,pkA) ^ AKG{P); (ku,pku) ^ UKG{P); 

M ^ {U^{ku),J)(pku,T,D'U {e}); Prop{e,m,pku)] > 1 - negl(T) 

Moreover, the subpoena protocol is efficient in the sense that its running time 
is linear in the number of escrows of the subpoenaed (user, type) category in the 
database D, rather than in the size of the whole escrow database D. 

Tamper resistance. A malicious Agent can’t add entries to the escrow database 
which would be identified as transactions involving some user during the public 
subpoena process, unless that user created these escrows himself. Namely, for 
every PPT algorithm A*, for random keys ku,pku generated by UKG, if A* 
has access to user oracles (•,•), Of/j (•,•,•), and Of/g (•,•), where Ou^{m,pkA) 
follows the U\ protocol on {ku, m) and pkA, 0[/2 rcpt, pkA) follows the U2 pro- 
tocol on {ku, m, rcpt) and pkA, and OusiT, D) follows the C/3 protocol on ku and 
{pku,T, D), then there is only negligible probability that A*^'^^’^‘^’^^^'’'’'\pku) 
produces T*,D* s.t. M ^ {U^{ku), J){pku ,T* ,D*) where M contains some 
message m* s.t. A* did not run oracle Oui(-, •) on m* and some pkA- 

Category-preserving anonymity. By default, the only information learned 
by a malicious Agent about any two instances of the escrow protocol is whether 
the two transactions fall into the same category, i.e., correspond to the same 

® We say that a function /(r) is negligible if for any polynomial p(-), there exists tq 
s.t. for every r > tq, /(t) < l/p(r). We denote a negligible function by negl(-). 
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(user, type) pair or not. Moreover, neither the transactions opened in the sub- 
poena protocol, nor transactions reported to the Agent by some malicious Coun- 
terparties, should help the malicious Agent to crack the privacy of transactions 
done with honest Counterparties and which were not subpoenaed. 

Formally, consider the following game between any PPT algorithms A* , C* 
and the VTE system. First, polynomially many user keys {{ki,pki)} are gen- 
erated by the UKG algorithm. Then, if A* has access to flexible user oracles 
Oui (•) •) •)> ('j ’j ■> ■)) 0(73 (■> ■)> where Ojji (*, Tn,pkA) follows the U\ pro- 

tocol on (fci, m) and pkA, Ojj2 (h rcpt, pkA) follows the U2 protocol on {ki, rcpt) 
and {pki, m, pkA), and Oc/3 {i, T, D) follows the C/3 protocol on ki and {pki, T, D), 
the following holds: 

Pr[ b = b' \ {io,ii,mo,mi,st,pkA) ^ A*^^^’’^^’^^^'’'’'’'\pki, ...,pkp(r))', 
b^ { 0 , 1 }; {rcptb,st') ^ {Ui{ki^,mb), A*{st)){pkA)] 
b = ^b; {rcpt-^,st") ^ A* {st')){pkA); 

{st”') ^ {U2{kip,rcpto),C*{st'')){phg,mo,pkA); 

{st"") ^ {U2{h^,rcpti),C*{st'")){ph^,mi,pkA); 

5'^^*Oai,v3,c3(-.-.-.)(g^////). ] < 1 + negl(r) 

where the test transactions {io,mo) and (zi,mi) and the queries of A* to Ojji 
and 0(73 oracles are restricted as follows: 

( 1 ) The test transactions are not subpoenaed, i.e., Ojjs is not queried on either 
(zo, Type{mo)) or {ii,Type{mi)). 

(2) If any of the (user,type) pairs involved in the test transactions are seen by 
the Agent in some query to Ou-^ or 0(73, then the two test transactions must 
have the same (user, type) pairs, i.e., if for any /? = 0, 1, either Ou^ was queried 
on {if},Type{mf})) or Ojji was queried on (ii3,m'^) s.t. Type{m'^) = Typefrup), 
then zq = zi and Type{mo) = Type{mi). 



2.2 Additional Desirable Properties of a VTE Scheme 

Automatic threshold disclosure. A VTE scheme may support automatic 
opening of escrows involving transactions with the same (user, type) once their 
number reaches some threshold value, pre-set for transactions of this type. We 
show an example of such extension in Section 5. 

Key management. In practice, a VTE scheme requires a Key Certification 
Authority serving as strong PKI. If a user’s key is lost or compromised, the CA 
must not only revoke that key and certify a new one, but also reconstruct the 
old key to facilitate the subpoena of transactions which were escrowed under 
it. To avoid a single point of failure, the CA should implement this key escrow 
functionality via a group of trustees using standard threshold techniques. We 
stress that although majority of the CA trustees must be trusted, this is not 
a severe limitation of the proposed scheme because CA is invoked only when 
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a new user enrolls in the system, or when the key of some user is subpoenaed 
and he refuses to cooperate. Moreover, the secret keys of the CA trustees need 
only be used during reconstruction of some user’s key in the case of key loss 
and/or user’s refusal to cooperate with a subpoena, both of which should be 
relatively infrequent events. Interestingly, while PKI is often viewed as a threat 
to privacy, in our scheme it actually helps privacy. Without PKI, escrow can 
only be implemented via a public-key scheme that cannot guarantee both user 
anonymity and efficient operation of the escrow scheme. 



3 Basic Construction of a VTE Scheme 

We present the simpler variant of our VTE scheme. As we explain in section 3.1, 
this scheme does not achieve full category-preserving anonymity, but its privacy 
protection can be good enough in practice. In section 4, we show a variant of 
the same VTE scheme which does achieve full category-preserving anonymity. 
Both variants use cryptographic primitives of verifiable anonymous encryption, 
verifiable anonymous tagging, and anonymous signatures, which we define and 
implement in section 3.2. In section 3.3, we discuss key management issues. 

VTE construction overview. In our VTE construction, an escrow consists 
of (1) an encryption of the transaction plaintext, (2) a signature, and (3) a 
deterministically computed tag which is an output of a pseudorandom function 
indexed by the user’s private key and applied to the type of the transaction. 
The tags enable the Agent to group entries in the escrow database into “bins” 
corresponding to tag values. Because a pseudorandom function assigns outputs to 
inputs deterministically, escrows corresponding to the same (user, type) category 
are always placed in the same bin, enabling efficient identification of the escrowed 
entries of a given category during the subpoena. However, the pseudorandomness 
helps to ensure that the tags reveal no more information than permitted by 
category-preserving anonymity, i.e., the only information learned by the escrow 
agent about any two escrows is whether they belong to the same category. 

The signature is included to disable Agent’s tampering with the escrowed 
entries. The encryption and the tag must preserve secrecy of the transaction 
plaintext against chosen-plaintext attack, because a malicious Agent can cause 
a user to participate in transactions of Agent’s choice and see the corresponding 
escrow entries (see the definition of category-preserving anonymity) . The whole 
escrow must also protect user’s key privacy against the same chosen-plaintext 
attack. To enable verification that an escrow is correctly formed, both the tag, the 
ciphertext, and the signature must be verifiable by the transaction counterparty, 
i.e., given the transaction plaintext and the user’s public key. 

Initialization: Every user is initialized with a public/private key pair imple- 
mented as in section 3.2. The escrow agent is initialized with a key pair of any 
CMA-secure signature scheme. 

Escrow protocol: We assume that before the escrow protocol starts, the user 
and the counterparty agree on transaction description m of type T = Type{m). 
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1. The user sends to the escrow agent an escrow e = {c,t, s) s.t.: 

(a) c = Encfejm} is a verifiable anonymous symmetric encryption of m. 

(b) t = Tagj,{T} is an output of a verifiable anonymous tagging function. 

(c) s = sigj.{c, t} is an anonymous signature on the (ciphertext, tag) pair. 

2. The agent places escrow e in the escrow database in the bin indexed by the 
tag t, and sends his signature rcpt on e to the user. 

Verification protocol: 

1. The user forwards the escrow e and the agent’s signature rcpt to the coun- 
terparty, together with a proof that: 

(a) c is a ciphertext of m under a key k corresponding to the public key pk. 

(b) t is a tag computed on type T under key k corresponding to pk. 

(c) s is an anonymous signature computed on (c, t) under the public key pk. 

2. The transaction counterparty accepts if he verifies the agent’s signature on 
e and the correctness of the above three proofs. 

Subpoena protocol: The protocol proceeds on a public input of any subset 
D of the escrow database, the type T of the subpoenaed transactions, and the 
identity pk of the subpoenaed user: 

1. The user computes tag t = Tagj,{T} and proves its correctness under pk. 

2. Entries (ei,e 2 ,...) in D which are indexed by tag t are publicly identified, 
and for each Cj = {ci,t,Si), the user verifies the signature Si on (ci,t). 

(a) If the signature does not match, the user provably denies that the sig- 
nature is valid under pk, and if the proof is correct the entry is skipped. 

(b) If the signature matches, the user publishes the transaction plaintext rrii 
by decrypting the ciphertext Ci under k, and proving correctness of the 
decryption under key k corresponding to pk. 

3. If the user cooperates, the output includes all (and only) transactions of the 
subpoenaed type for that user. If any of the above proofs fails, the public 
output is the special symbol contempt. 

From the properties of the cryptographic primitives used in this VTE con- 
struction, the following theorem follows: 

Theorem 1. The basic VTE scheme satisfies (1) verifiability, (2) efficient and 
unavoidable subpoena, and (3) tamper resistance. 

3.1 Privacy Leakage of the Basic VTE Scheme 

In the above scheme, the user presents the (ciphertext, tag, signature) tuple to 
both the agent and the counterparty. This allows a malicious counterparty and 
a malicious agent to link their views of the escrow and verification protocols, 
and since the counterparty knows the user identity and the message plaintext, a 
malicious agent can learn an association between a tag and a (user, type) pair. 
This would violate category-preserving anonymity, because with this knowledge 
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the escrow agent can learn the type and user identity of all transactions with 
the same tag, even those conducted with other, honest counterparties. 

In practice, privacy protection can be increased by allowing the type of the 
transaction to range over some small set, for example of a hundred constants. 
If the index of the constant used for a given transaction is chosen by hash- 
ing the counterparty’s identity, then there is only 1% chance that a dishonest 
counterparty can endanger the anonymity of transactions of the same type with 
any other honest counterparty. On the other hand, when a user is subpoenaed 
on a given type, he has to identify a hundred categories instead of one. Such 
privacy/efficiency trade-off may be acceptable in some applications. 

3.2 Definitions and Constructions for Cryptographic Primitives 

Let p, q be large primes s.t. p = 2q+l, and let g he a, generator of Z*. The secu- 
rity of our constructions relies on the hardness of the Decisional Diffie-Hellman 
(DDH) problem in subgroup QRp of quadratic residues in Z*, which says that 
tuples {h, h°‘, h°'^) are indistinguishable from tuples {h, h°‘, h^, h‘^) for h G QRp 

and random a,b,c in Zg (see, e.g., [Bon98]). Our security arguments follow the 
so-called “Random Oracle Model” methodology of [BR93]. Namely, we assume 
an “ideal hash function” H : {0, 1}* ^ Z* which can be treated as a random 
function in the context of our constructions. 

Verifiable random functions. A VRF family [MRV99] is defined by three 
algorithms: a key generation algorithm KGen outputing private key k and public 
key pk, an evaluation algorithm Eval(/c, x) = (y, tt) which on input x outputs the 
value of the function y = fk{x) and a proof tt that the value is computed cor- 
rectly, and a verification algorithm Ver which can verify tt on inputs {pk, x, y, tt). 
The VRF is secure if it is infeasible to distinguish an interaction with function 
fk, for a randomly chosen key k, from an interaction with a purely random func- 
tion which outputs uniformly distributed values in the same range. Moreover, 
the VRF needs to be verifiable, in the sense that any proof will be rejected un- 
less the returned value y is indeed fk{x). The VRF concept and constructions 
were originally proposed for the standard model [MRV99, Lys02, Dod03], i.e., 
without assuming ideal hash functions, but evaluation/ verification cost for these 
constructions involves f?(T) cryptographic operations. In contrast, in the Ran- 
dom Oracle Model, a simple VRF family can be constructed based on the DDH 
assumption, with evaluation and verification cost of 1-3 exponentiations. Simi- 
lar or identical constructions were used before [CP92, NPR99, CKSOO], without 
explicitly noting that the result is a VRF family. 

We relax (slightly) the standard definition of VRF [MRV99] by replacing the 
uniqueness requirement with a computational soundness requirement. 

Definition 1. A VRF family (for a group family {Gi}i=i^ 2 ,.../ is given by a 
tuple of polynomial-time algorithms /KGen, Eval, Ver/ where KGen(l”) outputs a 
pair of keys {k,pk), Eval is a deterministic algorithm which, on any x, outputs 
{y,TT) ^ Eval(/c,a;) s.t. y G G„, and \Zer{pk,x,y,Tr) outputs 0 or 1, which satisfy 
the following requirements: 
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1. Completeness: For every r and x, if (k,pk) r- KGen(r^) and (y,7r) = 
Eval(fc,a:) then \/er(pk,x,y,7r) = 1. 

Soundness: For any probabilistic polynomial-time algorithm A, for any values 
pk and x, the following probability is negligible: 

Pr[Ver(pfc, x, y, tt) = Ver(pfc, x, y' , tt') = 1 A y ^ y' \ {y, y' , ir, n') ^ A{pk, a;)] 



3. Pseudorandomness: For all probabilistic polynomial-time algorithms Ai,A 2 , 

Pr[ b = b' \ (k,pk) r- KGen(T^); (x, st) ^ ^ Eval(fc,x); 

2/1 ^ G„;6 ^ {0, 1};6' ^ ] < ^ -h negl(T) 

where A\ and A 2 are restricted from querying oracle OEvai(fc, •) on the chal- 
lenge input X chosen by Ai . 

Construction: Let FI : {0, 1}* ^ Z* be an ideal hash function (modeled as 
a random oracle). Formally, the key generation picks a triple (p,q,g) as above 
s.t. the hardness of the DDH problem in QRp is good enough for the security 
parameter. For ease of discussion, we treat (p, q, g) as chosen once and for all. 
We will construct a VRF function family indexed by such triples, whose range 
is the group of quadratic residues QRp. The key generation algorithm picks a 
secret key k G Z* and the public key pk = g^^ mod p. The evaluation algorithm 
Eval(/c,a;) returns y = h^^ mod p where h = H{x), and a non-interactive zero- 
knowledge proof TT of equality of discrete logarithm x = DL/i(p) = DLg(pfc). 
This is a standard ZKPK proof of discrete-log equality which can be made non- 
interactive in the ROM model, e.g., [CS97]. 

Theorem 2. Algorithms (KGen, Eval,Ver) define a Verifiable Random Function 
family, under the DDH assumption in the Random Oracle Model. 

Verifiable anonymous tagging function. We define a verifiable anonymous 
tagging function simply as a VRF, and we implement it as Tag^,{a;} = fk{x). 
It is easy to see that tags Tagj,{T} give no information about the category 
they represent, i.e., user’s identity pk and the transaction type T, except that, 
whatever category this is, it is identified with tag Tagj,{T}. It is also easy to see 
that a VRF has good enough collision-resistance so that escrows of two categories 
go to different bins. In fact, a much stronger property holds: 

Theorem 3. Under the discrete log assumption, in the Random Oracle Model, 
the VRF family (KGen, Eval,Ver) has a strong collision resistance property in the 
sense that it is infeasible to find pair {k,x) yf {k' ,x') s.t. Eval(/c,a;) = Eval(fc',x'). 

Verifiable anonymous symmetric encryption. For escrows to be anony- 
mous, the symmetric encryption Enc used by the user must be not only chosen- 
plaintext secure, but also key-hiding. Following [Fis99, BBDPOl], we combine 
these in one definition that implies several natural anonymity properties. Even 
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an adversary who decides who encrypts what, cannot tell, for ciphertexts cre- 
ated outside of his control, whether the messages and keys satisfy any non-trivial 
relation this adversary is interested in. For example, the adversary cannot tell if 
a ciphertext is an encryption under any given key, if two ciphertexts are encryp- 
tions under the same key, if two ciphertexts encrypt related messages, etc. 

Let (KGen, Enc, Dec) be a symmetric encryption scheme. In our experiment, 
first the key generation algorithm is executed p{t) times where p(-) is some 
polynomial and r is the security parameter. Denote the keys as ki, for i G 
{l,p(r)}. Adversary can query the following flexible encryption oracle OEnc(’, •)• 
on input (i, m), i € {1,p(t)} and m € {0, 1}*, Osncii, m) outputs Enc(/cj, to). 

Definition 2. We say that a symmetric encryption scheme (KGen, Enc, Dec) is 
(chosen-plaintext-secure) anonymous if, for any polynomial p{-) and probabilistic 
polynomial-time adversary Ai, A2, 

Pr[ 6 = 6' I (fci, ..., kp(r)) ^ (KGen(l'^))P(^); (to, zi, toq, toi, st) ^ 

6 ^ {0, l};c ^ Enc(fc6,TOb); 6' ^ ^ -k negl(r) 

We also extend the notion of (CPA-secure and anonymous) symmetric en- 
cryption by a verifiability property. We stress that this property is different 
from what is referred to as verifiable encryption in the context of asymmetric 
encryption schemes [ASW98, CDOO]. We require that the secret key k of an 
anonymous encryption be generated together with a commitment to this secret 
key, which we will call a public key pk. This public key, however, is used not to 
encrypt but to enable efficient verification that a given ciphertext is a correct 
encryption of a given plaintext. In fact, our verifiability property for symmetric 
encryption is very similar to the verifiability property of VRFs. Namely, we re- 
quire that the encryption procedure Enc is augmented so that along with output 
c = Encfclm} it produces a proof n of correct encryption evaluation. We also 
require an efficient procedure Ver which takes as inputs message to, ciphertext c, 
and a proof tt. The algorithms (KGen, Enc, Dec, Ver) must then satisfy an obvious 
completeness property, i.e., that a correctly computed proof always verifies, and 
a soundness property, which says that it is intractable, for any (k,pk), to find a 
tuple (to, to', c, tt, tt') s.t. m ^ m' but \/er{pk, to, c, tt) = \/er{pk, to', c, tt') = 1. 
Construction: Instead of using our VRF family to encrypt directly, we replace 
the hash function in our VRF construction with a Feistel-like padding scheme 
pad^ (m\r) similar to the OAEP padding [BR94, ShoOl]. Assume message length 
is |to| = Ti = |p| — 2 t — 2 where t is the security parameter. We define our padding 
scheme as pad'^(TO|r) = (/11I/12) for h\ = iLi(r)0 to and h 2 = H2{hi)(B r, where 
hash functions Hi,H2 output bit strings of length n and 2 t, respectively, and r 
is a random string of length 2r. Note that (TO-|r) can be recovered from (61 [62). 
This padding is simpler than the OAEP padding and its variants because our 
(symmetric, anonymous) encryption needs only chosen plaintext security rather 
than chosen ciphertext security. 

Using such padding we can encrypt as follows. KGen is the same as in the VRF 
scheme. EnCfe(TO) = modp where o = pad^(TO|r) is treated as an element in 
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Z*. The decryption Decfe(c) computes candidates o' and —o' mod p for o, where 
o' = & mod p, and k' = a * k~^ mod q where a = {q+ l)/2 (in integers). To 
decrypt we take as o either o' or —o' mod p, depending on which one is smaller 
than We then recover m\r by inverting the padding scheme pad^ on o. 

The proof of correct encryption consists of the randomness r and a proof tt of 
discrete-log equality DLo(c) = DLg(pfc). 

Theorem 4. The above scheme is a verifiable anonymous symmetric encryption 
scheme secure under the DDH assumption in ROM. 

Anonymous signatures. An anonymous signature is an undeniable signature 
scheme [CP92] with an additional property of key-privacy. Recall that an un- 
deniable signature scheme requires that the recipient of a signature s produced 
under public key pk on message m cannot prove to a third party that this is 
a valid signature under pk. Instead, the third party must ask U to verify the 
signature validity or invalidity via an interactive proof protocol. Here we addi- 
tionally require key privacy in the sense corresponding to the CPA-security of 
the anonymous symmetric encryption, i.e., that it is infeasible to tell from a 
(message, signature) pair what public key was used in computing it. 
Construction: Any VRF family immediately yields an anonymous signature 
scheme. In fact, the undeniable signature construction of [CP92] already has 
the required properties, because it is implicitly constructed from the same VRF 
construction as here. For better concrete security, we slightly modify the [CP92] 
construction. The signature on m is a pair s = (r, s) where r is a random string 
of length 2r, and s = fk(mjr) = H(m|r)^^ modp. The proof of (in) correctness 
of a signature under public key pk is a zero-knowledge proof of (in)equality of 
discrete logarithm (e.g., [CS03]) between tuples (g,pk) and {H{m\r),s). 

3.3 Key Management for Discrete-Log Based VTE Schemes 

The discrete-log based keys used in our scheme can be efficiently secret-shared 
by the user with the CA trustees using Feldman’s verifiable secret sharing (see, 
e.g., [GJKR99] for an exposition). Using recent techniques of [CS03], the user can 
deliver a secret-share to each trustee encrypted under the trustee’s public key, 
and the trustee can verify the share’s correctness without the use of the trustee’s 
private key. The resulting shares can then be efficiently used by the trustees in the 
subpoena process. For example, if the user refuses to cooperate, the CA trustees 
can efficiently compute the tag t = {H{Type)Y^ mod p for the subpoenaed user 
and type via threshold exponentiation protocol such as [G JKR99] . The trustees 
can also use the same protocol to verify signatures on and decrypt the escrows. 

4 VTE Scheme with Unlinkable Receipts 

As explained in section 3.1, category-preserving anonymity is hard to achieve un- 
less the escrow agent and the transaction counterparty are somehow prevented 
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from linking their views of the escrow and the verification protocols. We show 
how to achieve such separation of agent’s and counterparty’s views by replacing 
the standard signature scheme used by our basic VTE scheme with the CL sig- 
nature scheme of [CLOl, CL02], which enables the user to prove his possession of 
the agent’s receipt to the counterparty in zero-knowledge. To integrate CL signa- 
tures into our VTE scheme, in section 4.1 we introduce a novel zero-knowledge 
proof of knowledge of committed key and plaintext (CKP-ZKPK) . 

Diophantine commitments. To use the CL signature scheme, we need a com- 
mitment scheme of [F098, DFOl] which allows a commitment to integers rather 
than to elements in a finite field. Consider a special RSA modulus n = p'g', 
where p' ,q' ,{p' — l)/2,{q' — l )/2 are all prime and \p'\, \q'\ are polynomial in 
the security parameter t. Consider also a random element b of group QRn of 
quadratic residues modulo n, and a random element a of the subgroup generated 
by b in Z* . The commitment to an integer value m is C = a'^b'^ mod n where 
m' is chosen uniformly in Z„. This commitment scheme is statistically hiding, 
and it is binding if strong RSA assumption holds for n [F098, DFOl]. 

CL signatures. The public key in CL signature consists of a special RSA mod- 
ulus n as above, and three uniformly chosen elements a, b, d in QRn- Let Im be 
a parameter upper-bounding the length of messages that need to be signed. 
The public key is (n,a,b,d). The signature on m is a triple (v,e,s) where 
u® = mod n and 2*® > e > 2^®+^ where Q > Im + 2. This signature 

scheme is CMA-secure under the strong RSA assumption [CL02] . 

The CL signature comes with two protocols: (1) the CL signing protocol, 
in which the signer can issue signature (v,e,s) on m € { 0 , 1 }^™ given only a 
commitment Cm to m; and (2) the CL verification protocol which is a zero- 
knowledge proof in which the prover can prove the knowledge of a signature on 
m to the verifier who knows only a commitment to m. 

The commitments to m used in protocols (1) and (2) can be independent 
of the CL signature public key. However, for simplicity, in our application the 
instance of the Diophantine commitment scheme used in the CL signing protocol 
will be formed by values (n, a, b) which are parts of the CL signature public key. 

Before we show how to use them, we need to make two modifications to the 
CL signatures as shown above. First, we use the [CL02] extension of the above 
scheme to signing a block of three messages {mi, m 2 , m 3 ). This is done simply 
by including three random elements 01 , 02,03 in QR„ instead of one a in the 
public key of the CL signature scheme. The signature is a triple {v,e, s) where 
u® = mod n. In the CL signing and verification protocols adapted 

to a block of three messages, both the signer and the verifier know three separate 
commitments on these messages. 

Second, we note that if in the CL signature verification protocol the verifier 
knows the message m itself instead of a commitment to it, the protocol still works 
and even gets easier. Similarly, if the verifier knows not the above Diophantine 
commitment to m, but mod p (also a commitment to m) , the protocol still 
works, but the prover only shows knowledge of a signature on some integer m' s.t. 
m' = m mod 2q (recall that p = 2q-\-l, p, q are primes, and g is a generator of Z*). 
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The same holds for the CL verification protocol extended to a block of messages 
(toi, m2, m3). In our case, the verifier will know messages mi and m2, and a 
commitment modp to message m3, and the prover will show possession of 
CL signature on block of messages (mi,m2,my s.t. m3 = m3 mod q. 

VTE scheme with unlinkable receipts. We recall the VTE construction of 
section 3, where k is the user’s secret key, pk = mod p is the public key, 
and m is the transaction plaintext. The escrow is a triple e = (c, t, s) where c = 

mod p, t = mod p, s = (r, s), s = H{{c, mod p, h = H {Type{m)) , 

o = pad^(m|E), and r, r' are random strings of length 2 t. 

Let Im, the maximum message length, be \p\, enough to represent elements in 
either Z* or Z*. The public key of the escrow agent is the public key (n, a, 6, c) of 
the CL signature scheme, except that a is chosen at random from the subgroup 
generated by b in Z*. If the escrow agent generates his key himself, he must 
prove knowledge of t s.t. a = V mod n. 

The user sends e = (c,t,s) = {c,t,{r,s)) to the escrow agent as in the 
basic VTE scheme, but here he also includes three diophantine commitments 
Co, CfijCk on integer values o, h, k using (n, a, b) as the instance of the commit- 
ment scheme. Using the zero-knowledge proof CKP-ZKPK of committed key and 
plaintext (see section 4.1), the user then proves his knowledge of integer values 
{o',h',k') s.t. o' ,h' ,k' are committed to in Co,Ch,Ck, and c = (o')^^ modp, 
t = (ft,')^^ modp, and s = iL((c, t)|r)^^ mod p. If the proof succeeds, the user 
and the escrow agent run the CL signing protocol on the commitments Co, Ch, Ck 
at the end of which the user holds a CL signature on the block {o' ,h' ,k') of the 
committed messages. 

In the verification phase, the user sends to the transaction counterparty 
values {o,r'), together with the transaction plaintext m and his public key 
pk = g^^ mod p. The counterparty computes h = H{Type{m)) and verifies if 
o = pad^(m|r'). The user and the counterparty then run the CL verification 
protocol in which the user proves possession of a CL signature on integer values 
o, h, k' where the verifier knows o and h and pk = g^^ mod p. 

If the user passes both proofs, the first with the escrow agent as the verifier 
and the second with the transaction counterparty as the verifier, then under the 
strong RSA assumption needed for the diophantine commitment to be binding, 
o' = o, h' = h, and k' = k mod q, thus the escrow entry e = (c, t, s) is com- 
puted correctly. Furthermore, the escrow agent learns only the (ciphertext,tag) 
pair (c, t) = { 0 ^^ mod p, mod p) and the signature s, while the counterparty 
learns only the values o, h associated with the plaintext m and the public key 
pk = g^^ mod p. 

From the properties of the basic VTE scheme and the CKP-ZKPK proof 
system (see section 4.1), the following theorem follows: 

Theorem 5. The VTE scheme with unlinkable receipts satisfies (1) verifiability, 
(2) efficient and unavoidable subpoena, (3) tamper resistance, and (4) category- 
preserving anonymity, under the DDH and strong RSA assumptions in ROM. 
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4.1 Zero- Knowledge Proof of Committed Key and Plaintext 

We present the ZK proof protocol required by the unlinkable-receipt VTE con- 
struction of the previous section. Recall that the user needs to prove in zero- 
knowledge to the escrow agent his knowledge of integer values o, h, k s.t. o, h, k 
are committed to in Co,Ch,Ck, and c = 6^^ modp, t = mod p, and s = 
il((c, mod p. The public inputs in this proof are values (p,q,g), (n,a,b), 

(Co,Ch,Ck), and (c, s). The prover’s inputs are o,h € Z*, k G Z*, and the 

decommitment values o' ,h' , k' in Z„. 



ZKPK of Committed Key and Plaintext 

Prover’s Input: fc G ZJ, the secret key 

o G Z*, the “plaintext” 
o' ,k' G Z„, the decommitment values 
Common Input: (p,q,g), the discrete- log group setting 

(n, a, b), the instance of a diophantine commitment scheme 
Ck = mod n, commitment to k 
Co = a°b° mod n, commitment to o 
c = mod p, the ciphertext 

1. Prover P picks o ^ Z* and o' ^ Z„, and sends Cd = a°b° mod n, and 
c = (o)^^ mod p to the Verifier V 

2. Verifier V sends to P a random binary challenge & = 0 or 1 

3. P responds as follows: 

6 = 0: (a) P sends (s, s') = (5, o') to V 

(b) P performs a standard ZKPK proof of knowledge (e.g., [CM99]) 
of {k, k') s.t. a'°b'° = Ck mod n and = c mod p 

6=1: (a) P sends s = o * d mod p to V 

(b) P performs a standard ZKPK proof of knowledge (e.g., [CM99]) 
of (k, k') s.t. a*’6*’ = Ck mod n and = c * c mod p 

(c) P performs a ZKPK given by [CM99], of knowledge of values 
(o, o', o, o') s.t. a°b° = Co mod n, a°b° = Cg mod n, and o * 5 = 
s mod p 

4. In both cases V accepts only if the appropriate ZKPK proofs verify. Addi- 
tionally, if 6 = 0, V checks also if a‘’b“ = Cg mod n. 

Fig. 1. Binary challenge proof system CKP-ZKPK 



To simplify the presentation, we will show a ZKPK system for a slightly sim- 
pler problem, namely the ZK proof of knowledge of committed key and plaintext 
(CKP-ZKPK). Namely, the public values are (p, q, g), (n, a, b), (Co, Ck, c) and the 
prover proves knowledge of integer values o, k s.t. (1) they are committed to in 
Co,Ck under commitment instance (n,a,b), and (2) c = mod p. One can 
see that the required ZKPK system is created by running three proofs in paral- 
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lei: (i) one CKP-ZKPK proof for secrets o,k and public {Co,Ck,c), (ii) another 
CKP-ZKPK proof for secrets h,k and public (Ch,Ck,t), and (iii) a standard 
ZKPK proof of knowledge {e.g. [CM99]) of k s.t. i^((c, = s mod p and k 

is committed to in Ck, where the public inputs are {Ck, c, t, r, s). 

We present the CKP-ZKPK proof protocol in Figure 1. We note that this is a 
binary challenge protocol with 1/2 soundness error, so to get security parameter 
T this proof should be repeated r times, or in the Random Oracle Model it can 
be made non-interactive by preparing the t instances of it in independently in 
parallel, except that the challenge bits are computed by hashing together the 
first prover’s messages of all these r instances. The resulting protocol involves 
0(r) exponentiations for both the prover and the verifier, which unfortunately 
makes this protocol quite expensive in practice. 

Note that both ZKPK proofs referred to in the CKP-ZKPK protocol can 
be non-interactive in the Random Oracle Model considered here, and that they 
involve a small constant amount of exponentiations. We remark that the protocol 
proof system of [CM99] used in step (c) of case 6 = 1 for proving modular 
multiplication on committed values, can be simplified in our case, because here 
the multiplicative factor s = o * 5 and the modulus p are publicly known, in 
contrast to the general case considered by [CM99], where the verifier knows s 
and p only in a committed form. 

Theorem 6. CKP-ZKPK proof system is computational zero-knowledge if the 
DDH problem for group QRp is hard. 



Theorem 7. CKP-ZKPK proof system is a proof of knowledge with soundness 
error 1/2 if the strong RSA problem in group Z„ is hard. 

5 VTE Scheme with Automatic Threshold Disclosure 

We describe an extension of the VTE scheme which enables the escrow agent to 
automatically open escrows that (1) fall into the same bin, i.e., share the same 
(user, type) category, and (2) their number is no less than some fixed thresh- 
old, pre-specified for transactions of this type. This can be used, for example, 
to implement oversight of financial transactions which the following disclosure 
condition: if some user requests more than 10 transfers, via any set of banks, to 
some pre-specified “offshore haven,” the plaintexts of the corresponding escrows 
must be automatically disclosed to the overseeing authority. 

Using Feldman’s non-interactive verifiable secret sharing scheme [Fel87], we 
modify the VTE scheme of section 3 as follows. To create an escrow of plaintext 
TO under key k, the user computes the tag t = Tagj,{T} where T = Type{m) 
as in section 3, but the ciphertext is computed differently. Let d be the publicly 
pre-specified threshold disclosure value that corresponds to this T. The user 
picks a unique d-degree secret-sharing polynomial /(•) by applying d -|- 1 times 
a pseudorandom function indexed by the secret k, i.e., ki = H{k,T,i) for i = 
0, . . . , d, where H : {0, 1}* ^ Zg, and setting f{x) = ko -\- k\x -\- . . . kdx‘^ mod q. 
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A set of values {Co, ■ ■ ■ ,Cd} where Ci = modp serves as public verifi- 
cation information for this secret-sharing polynomial, The ciphertext is now 
c' = (c, {Ci}i=o..d, X, f{x), d), where c = Encfcg{m}, tt is the proof that c is a cor- 
rect encryption of m under the “quasi-one-time” private key ko (and its public 
counterpart Cq = mod p), and x is some unique value corresponding to this 
transaction, e.g., x = H{c). The user computes the private signature s = (r,s) 
on (c',t), and hands the escrow e = (c',t,s) to the escrow agent. 

The escrow agent checks that {x, f{x)) is a true data point on the polynomial 
committed to in set {Ci}i=o..d by verifying that g'^dC) _ {Cifi * ... * 

{Cdfi mod p. Moreover, if the bin tagged with tag t in the escrow database has 
other entries, the agent checks that the argument x has not been used before 
with the tag t, and the values {Co, ■ ■ ■ , Cd} are the same for this t as before. The 
agent then releases his signature on the escrow e to the user. The user presents 
it to the counterparty, who verifies it as before, except that correctness of the 
ciphertext c = Encfeplm} is verified on (C'o,m,c, tt) instead of {pk,m,c,Tr), and 
it is checked that d is the threshold value corresponding to type T. 

To prevent the counterparty and the escrow agent from linking their views, 
the same mechanism as in section 4 may be deployed. The user sends com- 
mitments Co,Ch,Ck on values o,h,k to the escrow agent (note the difference 
between Co and Co), proving his knowledge of o,h,k,ko s.t. c = modp, 
Co = g^^° mod p, t = mod p, and s = H{{d ,t)\rY^ mod p. The same zero- 
knowledge protocol as in section 4 may be used, and is even slightly simpler 
since Cq is a simpler commitment to ko than the Diophantine commitment. Af- 
ter checking the proofs, the user and the escrow agent perform the CL signing 
protocol to give the user a CL signature on the block of messages {o,h,k,d). 
The user then sends to the counterparty values (o, r') as in section 4, together 
with d. The counterparty checks that o is properly formed and d is the proper 
threshold value for the given transaction type, and they run the CL verification 
protocol to prove the user’s knowledge of a CL signature on values (o, h, k, d) 
where the verifier knows o, h, d and pk = g^^ mod p. 
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Abstract. We introduce Ad hoc Anonymous Identification schemes, a 
new multi-user cryptographic primitive that allows participants from 
a user population to form ad-hoc groups, and then prove membership 
anonymously in such groups. Our schemes are based on the notion of 
accumulator with one-way domain, a natural extension of cryptographic 
accumulators we introduce in this work. We provide a formal model 
for Ad hoc Anonymous Identification schemes and design secure such 
schemes both generically (based on any accumulator with one-way do- 
main) and for a specific efficient implementation of such an accumulator 
based on the Strong RSA Assumption. A salient feature of our approach 
is that all the identification protocols take time independent of the size of 
the ad-hoc group. All our schemes and notions can be generally and ef- 
ficiently amended so that they allow the recovery of the signer’s identity 
by an authority, if the latter is desired. 

Using the Fiat-Shamir transform, we also obtain constant-size, signer- 
ambiguous group and ring signatures (provably secure in the Random 
Oracle Model). For ring signatures, this is the first such constant-size 
scheme, as all the previous proposals had signature size proportional to 
the size of the ring. For group signatures, we obtain schemes comparable 
in performance with state-of-the-art schemes, with the additional feature 
that the role of the group manager during key registration is extremely 
simple and essentially passive: all it does is accept the public key of the 
new member (and update the constant-size public key of the group). 



1 Introduction 

Anonymous identification is an oxymoron with many useful applications. Con- 
sider the setting, for a known user population and a known set of resources, 
where a user wants to gain access to a certain resource. In many cases, accessing 
the resource is an action that does not mandate positive identification of the 
user. Instead, it would be sufficient for the user to prove that he belongs to the 
subset of the population that is supposed to have access to the resource. This 
would allow the user to lawfully access the resource while protect his real identity 
and thus “anonymously identify” himself. 

Given the close relationships between identification schemes and digital sig- 
natures, one can easily extend the above reasoning to settings where a user 
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produces a signature that is “signer-ambiguous” i.e., such that the verifier is 
not capable of distinguishing the actual signer among a subgroup of potential 
signers. In fact, it was in the digital signature setting that such an anonymous 
scheme was presented for the first time, with the introduction of the group signa- 
ture model [19], which additionally mandates the presence of a designated party 
able to reveal the identity of the signer, were the need to arise. 

Subsequent work on group signatures and on anonymous identification in 
general [20, 24, 13, 18, 16, 23, 3, 1, 11, 14, 6, 2] allowed for more efficient designs 
and formal modelling of the primitive, with the current state of the art being 
the scheme by Ateniese et al. [1]. In general, existing group signature schemes 
are derived from their interactive counterpart {ID Escrow schemes [32]) via the 
Fiat-Shamir transform [28]. 

A related notion, but of slightly different nature, is that of ring signatures, 
introduced by Rivest, Shamir and Tauman in [34] and further studied in [12, 33]. 
Ring signatures differ from group signatures in that they allow group formation 
to happen in an ad-hoc fashion: group must be formed without the help of a 
group manager; in fact, a user might not even know that he has been included 
in a certain group. This is in sharp contrast to the group signature setting where 
the user must execute a Join protocol with the group manager and obtain a 
group-membership certificate that cannot be constructed without the help of 
the group manager. Note that ad-hoc group formation in the context of ring 
signatures is always understood within the context of a user population and an 
associated PKI. Based on the PKI, ad-hoc subsets of the user population can be 
formed without the help of a “subset manager” — but it is assumed that every 
user has a registered public key. 

While ring signatures are attractive because they have simple group for- 
mation procedures that can be executed by any user individually, they have 
the shortcoming that the length of the signature is proportional to the group 
size. For large groups, the length of a ring signature (growing linearly with the 
group size) will become impractical. To the contrary, schemes with constant-size 
signatures have been successfully designed in the group signature setting [1]. 
We remark that in the setting of anonymous identification, the counterpart of 
“signature size” is the bandwidth consumed by the protocol, which is thus an 
important complexity measure to minimize. 

Based on the above discussion, an important open question in the context of 
anonymous identification and signature schemes, recently posed by Naor in [33], 
is the following: 

Is it possible to design secure anonymous identification schemes that 
enable ad-hoc group formation in the sense of ring signatures and at the 
same time possess constant-size signature (or proof) length? 

Our contribution. In this work we provide an affirmative answer to the above 
question. Specifically, we introduce a new primitive called Ad hoc Anonymous 
Identification schemes; this is a family of schemes where participants from a 
user population can form groups in ad-hoc fashion (without the help of a group 
manager) and then get anonymously identified as members of such groups. 
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Our main tool in the construction of Ad hoc Anonymous Identification 
schemes is a new cryptographic primitive, accumulator with one-way domain, 
which extends the notion of a collision-resistant accumulator [7, 4, 15]. In simple 
terms, in an accumulator with one-way domain, the set of values that can be ac- 
cumulated are associated with a “witness space” such that it is computationally 
intractable to find witnesses for random values in the accumulator’s domain. 

First, we demonstrate the relationship between such accumulators and Ad hoc 
Anonymous Identification schemes by presenting a generic construction based on 
any accumulator with one-way domain. Second, we design an efficient implemen- 
tation of accumulator with a one-way domain based on the Strong RSA Assump- 
tion, from which we obtain a more efficient construction of Ad hoc Anonymous 
Identification scheme whose security rests upon the Strong RSA Assumption. 

We remark that previous work on anonymous identification that allowed 
subset queries was done by Boneh and Franklin [8] . They define a more limited 
security model, and show a protocol which imposes on both parties a computa- 
tional load proportional to the subset size at each run. Moreover, their scheme 
is susceptible to collusion attacks (both against the soundness and against the 
anonymity of the scheme) that do not apply to our setting. 

In our Strong-RSA-based Ad hoc Anonymous Identification scheme, the com- 
putational and communication complexity on both ends is constant in the size 
of the group. Thus, the signature version of our ad-hoc anonymous identifica- 
tion scheme yields a ring signature with constant size signatures (over a dedi- 
cated PKI) . Other applications of our scheme include “ad-hoc” group signatures 
(group signature schemes where the group manager can be offline during the 
group formation) and identity escrow over ad-hoc groups. 

Recently, work by Tsudik and Xu [35], building on the work by Camenisch 
and Lysyanskaya [15], investigated techniques to obtain more flexible dynamic 
accumulators, on which to base group signature schemes (which is one of our 
applications). The specific method used by [35] bears many similarities with our 
Strong-RSA-based instantiation, with some important differences. Namely, in 
their solution anonymity revocation takes time proportional to the user popu- 
lation, due to subtle problems concerning the accumulation of composite values 
inside the accumulator. Our work resolves this technical problem. Moreover, we 
present a new notion of Ad hoc Anonymous Identification scheme, which has 
more applications than those specific to group signature schemes: for example, 
they allow us to build the first constant-size ring signature schemes. We present 
a general construction for our primitives from any accumulator and not just the 
one of [15]. Last, our formal definitional framework is of independent interest. 



2 Preliminaries 

2.1 NP-Relations and J7-Protocols 



Throughout the paper, we assume familiarity with the GMR notation [30]. 
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An NP-relation i? is a relation over bitstrings for which there is an efficient 
algorithm to decide whether (x, w) € R in time polynomial in the length of x. 
The NP-language Lr associated to R is defined as Lr = {x \ (3w)[(x, w) G i?]} 
A A-protocol [22, 21] for an NP-relation R is an efficient 3-round two-party 
protocol, such that for every input (x, w) to P and x to V , the first P-round yields 
a commitment message, the subsequent y-round replies with a random challenge 
message, and the last P-round concludes by sending a response message. At 
the end of a run, V outputs a 0/1 value, functionally dependent on x and the 
transcript it only. Additionally, a A-protocol satisfies Special Soundness, meaning 
that for any (x, w) ^ R and any commitment message, there is at most one pair 
of challenge/response messages for which V would output 1; and Special Honest- 
Verifier Zero-Knowledge, meaning that there is an efficient algorithm (called a 
Simulator) that on input x G Lr and any challenge message, outputs a pair of 
commitment/response messages for which V would output 1. 

The main result we will need about A-protocols is the following: 

Theorem 1 ([29, 27]). A E-protocol for any NP-relation can he efficiently 
constructed if one-way functions exist. 

2.2 Accumulators 

An accumulator family is a pair ({Pa}agNj {ATAjAeN), where {Pa}agn is a se- 
quence of families of functions such that each / G Pa is defined as f : UfX ^ 
Uf for some A X\ and additionally the following properties are satisfied: 

— (efficient generation) There exists an efficient algorithm G that on input a 
security parameter 1^ outputs a random element / of Pa, possibly together 
with some auxiliary information a/. 

— (efficient evaluation) Any / G Pa is computable in time polynomial in A. 

— (quasi-commutativity) For all A G N, / G Pa, u G Uf, X\,X 2 G X\, 

f{f{u,Xi),X2) = f{f{u, X2),Xi) 

We will refer to {Aa}agn as the value domain of the accumulator. For any 
A G N, / G Pa and X = {xi, . . . , C X\, we will refer to /(. . . f{u, xi) . . . , x*) 
as the accumulated value of the set X over u: due to quasi-commutativity, such 
value is independent of the order of the x^’s and will be denoted by f{u,X). 

Definition 1. An accumulator is said to be collision resistant if for any A G N 
and any adversary A: 

Pr[f ^ Fx;u^Uf,{x,w,X) ^ A{f,Uf,u) \ 

(A C Aa) A{wG Uf) A (x G Af \ A) A (/(u>, x) = f{u, A))] = i/(A) 

For A G N and / G F\, we say that w G Uf is a witness for the fact that 
X G Aa has been accumulated within v G Uf (or simply that w is a witness for x 
in v) whenever f(w,x) = v. We extend the notion of witness for a set of values 
A = {xi,...,Xs} in a straightforward manner. 
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Accumulators with One-Way Domain. An accumulator with one-way do- 
main is a quadruple ({J^AjAeN, {AA}AeN, {■Z'AjAeN, {^aIagn), such that the pair 
({^^AjAeN, {Aa}agn) is a collision-resistant accumulator, and each R\ is a rela- 
tion over X\ X Z\ with the following properties: 

— (efficient verification) There exists an efficient algorithm D that on input 
{x, z) G X\ X Z\, returns 1 if and only if (x, z) G R\. 

— (efficient sampling) There exists a probabilistic algorithm W that on input 
1"^ returns a pair {x, z) G X\ x Z\ such that {x, z) G R\. We refer to 2 as a 
pre-image of x. 

— (one-wayness) It is computationally hard to compute any pre-image z' of an 
X that was sampled with W . Formally, for any adversary A: 

Pr[(x, z) ^ VF(l^); z' ^ A(l\ x) \ (x, z') G Rx] = z^(A) 

2.3 The Strong RSA Assumption 

We briefly review some definitions [7, 4] regarding the computational assumption 
underlying our efficient construction in Section 5. 

A number n is an RSA integer iin = pq for distinct primes p and q such that 
\p\ = |( 7 |. For A G N, let RSAa be the set of RSA integers of size A. A number p 
is a safe prime if p = 2p' -\- 1 and both p and p' are odd primes. A number n is 
a rigid integer \i n = pq for distinct safe primes p and q such that \p\ = |g|. For 
A G N, let RigA be the set of A-bit rigid integers. 

Definition 2 (Strong RSA Assumption, [4]). 

For any integer A and for any adversary A: 

Pr[n ^ Rigx, z ^ Z^; (a;', y') ^ A(l^, n, z) \ {y' > l) A {{x'Y = z{n))] < iy{X) 
the probability being over the random choice of n and z, and A’s random coins. 

3 Ad Hoc Anonymous Identification Scheme 

3.1 Syntax 

An Ad hoc Anonymous Identification scheme is a six-tuple of efficient algorithms 
(Setup, Register, Make-GPK, Make-GSK, Anon-ID^, Anon-ID'^), where: 

— Setup initializes the state of the system: on input a security parameter l'^', 
Setup creates a public database DB (that will be used to store information 
about the users’ public keys), and then generates the system’s parameters 
param; its output implicitly defines a domain of possible global parameters. 

— Register, the registration algorithm, allows users to initially register with the 
system. On input the system’s parameters param and the identity of the 
new user u (from a suitable universe of users’ identity hi), Register returns 
a secret key/public key pair (sk,pk). To complete the subscription process, 
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the user then sends his public key to a bulletin board for inclusion in a public 
database DB. 

The Register algorithm implicitly defines a domain SK. of possible user secret 
keys and a domain VK. of possible user public keys; its output induces a 
relation over user secret key/public key pairs, that we will denote by We 
also require a superset VK! 3 VK. to be specified, such that membership to 
VK! can be tested in polynomial time. 

— Make-GPK, the group public key construction algorithm, is a deterministic 
algorithm used to combine a set of user public keys S into a single group 
public key gpkg, suitable for use in the Anon-ID protocol described below. 
Syntactically, Make-GPK takes as input pa ram and a set S' C VK.'; its output 
implicitly defines a domain QVK of possible group public keys. We also 
require a superset GVK' 3 GVK to be specified, such that membership to 
GVK can be tested in polynomial time. 

The Make-GPK algorithm shall run in time linear in the number of public 
keys being aggregated; we also remark here that our definition forces Make- 
GPK to be order-independent i.e., the order in which the public keys to be 
aggregated are provided shall not matter. 

— Make-GSK, the group secret key construction algorithm, is a deterministic 
algorithm used to combine a set of user public keys S', along with a secret 
key/public key pair (sku,pk^), into a single group secret key gsk^, suitable 
for use in the Anon-ID protocol described below. 

Make-GSK takes as input param, a set S' C VK' and a key pair (sA:„,pfc„) 
satisfying sku^pk^, and it shall run in time proportional to the size of S' . 
Its output implicitly defines a domain GSK oi possible group secret keys. 
The Make-GPK and Make-GSK algorithms can be used to extend the 
^-relation to GSK x GVK, as follows: A group secret key gsk = 
Make-GSK(param, S", (sfc,p/c)) is in ^-relation with a group public key 
gpk = Make-GPK(param, S) if and only if S' = S'U{pk}. Observe that even in 
the case that the ^-relation is one-to-one over SK x VK, it is usually many- 
to-one over GSK x GVK, as more than one group secret key correspond to 
the same group public key. 

— Anon-ID = (Anon-ID'^, Anon-ID'^), the Anonymous Identification Protocol, is 
an efficient two-party protocol, in which both Anon-ID^ (the prover) and 
Anon-ID'^ (the verifier) get in input the system’s parameters param and a 
group public key gpk (corresponding to some set S of user public keys i.e., 
gpk = Make-GPK(param, S)); Anon-ID'^ is also given a group secret key gsk 
as an additional input. 

Any execution of the Anon-ID protocol shall complete in time independent 
from the number of public keys that were aggregated when constructing gpk 
and/or gsk; at the end of each protocol run, Anon-ID'^ outputs a 0/1-valued 
answer. 

Correctness. For correctness, we require that any execution of the Anon-ID 
protocol in which the additional input to Anon-ID^ is a group secret key gsk 
^-related to the common input gpk, shall terminate with Anon-ID'^ outputting 
a 1 answer, with overwhelming probability. 
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Honest user registration oracle OHReg 


User corruption oracle Ocor 


IN: mGW 


IN: pk,^ G VIC' 


RUN: 1. {sku,pkA <— Register(param, m) 


RUN: 1. sku ^ DB.Lookup(pA:„) 


2. DB.Store(sfcu,pfc„) 


/* sku ^ T if no match found */ 


OUT: pk^ 


OUT : sku 


1 Transcript oracle Oscr | 


IN: 5" C G P/C' 




RUN: 1. sku ^ DB.Lookup(pfc„) 




2. if sku = T 




3. then tt ^ T 




4. else gpk ^ Make-GPK(param, S' U {pA:„}) 


5. gsk <— Make-GSK(param, S' , 


6. 7 T <5: Anon-ID’’(param, gpfc, gsA:) ^ Anon-ID'^(param, gpfc) 


OUT: TV 





Fig. 1. Oracles for the soundness attack game. DB denotes a database storing 
user secret key/public key pairs, indexed by public key. 



3.2 Soundness 

The Attack Game. We formalize the soundness guarantees that we require 
from an Ad hoc Anonymous Identification scheme in terms of a game being played 
between an honest dealer and an adversary A. In this game, the adversary is 
allowed to interact with three oracles OnReg (the honest user registration oracle), 
Ocor (the user corruption oracle), and Oscr (the transcript oracle) (see Fig. 1). 

The game begins with the honest dealer running the Setup algorithm for 
the security parameter 1^, and handing the resulting global parameters param 
to the adversary. Then, A arbitrarily interleaves queries to the three oracles, 
according to any adaptive strategy she wishes: eventually, she outputs a target 
group S* C VIC' . At this point, A starts executing, in the role of the prover, a 
run of the Anon-ID protocol with the honest dealer, on common inputs param and 
gpk* = Make-GPK(param, S*). Notice that during such interaction, the adversary 
is still allowed to query the three oracles OReg,Oscr and Ocor- Let fr be the 
transcript resulting from such run of the Anon-ID protocol. A wins the game if 
the following conditions hold: 

1. for all pk* G S*, there is an entry indexed by pk* in the SK-DB Database, 
and 

2. 7T is a valid transcript i.e., the run completed with the honest dealer out- 
putting 1, and 

3. for all pk* G 5*, A never queried Ocor on input pk*; 

Define SuccJ^'’(A) to be the probability that A wins the above game. 

Definition 3. An Ad hoc Anonymous Identifieation scheme is sound against 
passive chosen-group attacks if any adversary A has negligible advantage to win 
the above game: 



(VA G N)(VPPTA)[Succ5’^(A) < n{X)] 
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1 Challenge oracle Oa \ 


IN: 


S' 


C VK.' , {sko,pkff), {ski,pkf) 


RUN: 


1. 


b* ^ {0, 1} 




2. 


if or ski^pki then abort 




3. 


gpk ^ Make-GSK(param, S' U {pkQ,pkf\) 




4. 


gsk* <— Make-GSK(param, S' U }, (sfci,* )) 




5. 


7T* <5: Anon-ID’’(param, gpfc, gsA:*) ^ Anon-ID^(param, gpfc) 


OUT: 


tv" 





Fig. 2. The oracle for the anonymity attack game. 



A Note on Active Security. Our definition of soundness models an adversary 
that, in her attempt to fool an honest verifier into accepting a “fake” run of 
the Anon- ID protocol, can actively (and, in fact, adaptively) corrupt users, but 
can only passively eavesdrop the communication between honest provers and 
verifiers. One could, of course, define stronger notions of security by considering 
active, concurrent or even reset attacks, along the lines of previous work on 
Identification Schemes [26, 5]; however, we refrain from doing so, both to keep the 
presentation simpler, and because the main application of our Ad hoc Anonymous 
Identification schemes is to obtain new ring and group signatures scheme by 
means of the Fiat-Shamir Heuristic (see Section 6.3), for which security against 
a passive adversary suffices. 



3.3 Anonymity 

The Attack Game. We formalize the anonymity guarantees that we require 
from an Ad hoc Anonymous Identification scheme in terms of a game being played 
between an honest dealer and an adversary A. In this game, the adversary is 
allowed to interact only once with a “challenge” oracle Och, described in Fig. 2. 

The game begins with the honest dealer running the Setup algorithm for the 
security parameter l'^', and handing the resulting global parameters param to the 
adversary. Then, the adversary A creates as many user secret key/public key 
pairs as she wishes, and experiments with the Make-GPK, Make-GSK, Anon-ID^ 
and Anon-ID'^ algorithms as long as she deems necessary; eventually, she queries 
the Och oracle, getting back a “challenge” transcript n* . The adversary then 
continues experimenting with the algorithms of the system, trying to infer the 
random bit b* used by the oracle Oqu to construct the challenge tt*; finally, A 
outputs a single bit 6, her best guess to the “challenge” bit b* . 

Define Succ^''°"(A) to be the probability that the bit b output by A at the 
end of the above game is equal to the random bit b* used by the Och oracle. 



Definition 4. An Ad hoc Anonymous Identification scheme is fully anonymiz- 
ing if any probabilistic, polynomial-time adversary A has success probability at 
most negligibly greater than one half: 



(VA e N)(VPPTA) 



S Anon 
UCC^ 




< i^{\) 
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3.4 Extensions 

Identity Escrow. In some scenarios, complete anonymity might create more 
security concerns than what it actually solves. Instead, some degree of “limited 
anonymity”, not hindering user accountability, would be preferable. In our con- 
text, this can be achieved with the help of a trusted Identity Escrow Authority, or 
lEA (also called Anonymity Revocation Manager elsewhere [15]), endowed with 
the capability of “reading” the identity of the prover “between the lines” of any 
transcript produced by a run of the Anon-ID protocol. 

To enable such escrow capability, the definition of Ad hoc Anonymous Iden- 
tification scheme from Section 3.1 is modified as follows: 

— The Setup algorithm is run by the lEA, and it additionally outputs an identity 
escrow key sfciE (from some domain 5 /Cie), which the lEA keeps for himself. 

— Register is replaced by an efficient two-party protocol (Register'^^'^, 
Register'^'^), meant to be run between the prospective user and the lEA, 
at the end of which the lEA learns the user’s newly generated public key 

(possibly along with some other information auxu about u that the lEA 
stores in a public registry database DB), but he doesn’t learn anything about 
the corresponding secret key sfc„. 

~ An additional (deterministic) Extract algorithm is defined, which takes as 
input a transcript tt (for the Anon-ID protocol), along with the Identity 
Escrow secret key sk\E and the registry database DB, and returns a public 
key pk G VK. or one of the special symbols T and ?. Intuitively, the algorithm 
should be able to recover the identity of the user who participated as the 
prover in the run of the Anon-ID protocol that produced tt as transcript; the 
symbol T should be output when tt is ill- formed (e.g., when tt comes from a 
ZK simulator), whereas ? indicates failure to trace the correct identity. 

Our definitions of the security properties of the system have to be adjusted, 
since we now have an additional functionality that the adversary may try to 
attack; moreover, the presence of the lEA may open new attack possibilities to 
the adversary. 

The security requirements for the new Extract algorithm are formalized by 
augmenting the attack scenario defining the soundness property (Section 3.2). In 
this new, combined game, the adversary initially gets the lEA’s secret key sk\E, 
along with the public parameters pa ram of the system. Then, the game proceeds 
as described in Section 3.2, except that we loosen the conditions under which 
the adversary is considered to win the game, substituting the last two caveats 
with the following: 

2'. TT is a valid transcript i.e., Extract(7f, sk\E, DB) yf T and 
3'. for all pk* G S* , either Extract(7f, sk\E, DB) yf pk* , or A never queried Ocor 
on input pk*; 

As for the anonymity property, the definition from Section 3.3 is changed 
in that the adversary is now given access to two more oracles (beside 
the challenge oracle Och)' a corrupted-user registration oracle OcRegO = 
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Register'^'*^(sfc|E, param, DB), and a user identity extraction oracle Oxtr(') = 
Extract(-, sk\E, DB). The adversary wins the game if she successfully guesses the 
random bit chosen by the challenge oracle Oqu, without ever submitting the 
challenge transcript n* to the extraction oracle Oxtr- 

Supporting Multiple Large Ad Hoc Groups. In many applications where 
Ad hoc Anonymous Identification schemes could be useful, new ad hoc groups 
are often created as supersets of existing ones: for example, if ad hoc groups are 
used to enforce access control, new users may be added to the group of principals 
authorized to access a given resource. In such cases, the ability to “augment” a 
group public key with the a new user’s public key can be very handy, especially 
if coupled with algorithms to efficiently create the corresponding group secret 
key for the new user, and to update the group secret keys for the existing users. 
Our model can be easily amended to capture this incremental functionality; we 
refer the reader to the full version of this paper [25] for the details. 

4 Generic Construction 

In this section, we will establish the fact that the existence of accumulators 
with one way domain implies the existence of Ad hoc Anonymous Identification 
schemes. Below we describe how the algorithms (Setup, Register, Make-GPK, 
Make-GSK, Anon-ID'^, Anon-IO'^) can be implemented given an accumulator with 
one-way domain {{Fx}\eN, {Aa}agn, {Aa}agn, )• 

— Setup executes the accumulator generation algorithm G on to obtain 
/ G F\. Then it samples Uf to obtain u Gr Uf. Setup terminates by setting 
param := {X,u, f, D,W), where D and W are polynomial-time algorithms 
respectively to decide and to sample the relation R\. 

— Register first samples a pair {x, z) G X\ x Z\ such that {x, z) G i?A using the 
sampling algorithm W of the relation on input 1^. Then, Register outputs 
sk = z (the user secret key) and pk = x (the user public key) . Observe that 
SK.' = SK. = Zx, VK.' = Xf and VK. = Xx- 

— Make-GPK operates as follows: given a set of user public keys S = 
{x\, . . . ,xt\ and the parameters {X,u, f, D), it sets the group public key 
of S to be the (unique) accumulated value of S over u i.e., gpkg = f{u,S). 
Note that thanks to the quasi-commutativity property of /, Make-GPK is 
indeed order-independent. 

— Make-GSK operates as follows: given the set of user public keys S' = 
{x\, . . . ,xt\, a user secret key/public key pair (z,x) and the system pa- 
rameters param = {X,u, f, D,W), it first computes the accumulated value 
w = f{u, S'), and then sets the group secret key gsk to be the tuple {x, z, w) 
(where S = S"U {x}). Observe that w is a witness for x in f{u, S'), and that 
gSIC = Xxx ZxxUf and GVIC = Uf. 

— Anon- 1 D'^ and Anon- 1 are obtained generically as the A-protocol corre- 
sponding to the following NP-relation T^param C GVIC x GSK.: 

Tlparam = { {v, (x, Z, w)) \ ({x, z) G Rx) A {f{w, x) = w) } 
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It is easy to see that the above relation is polynomial-time verifiable: indeed, 
given V and (x, z, w), one can check in time polynomial in |r;| whether (x, z) G 
Rx (by verifying that D{x, z) = 1), and whether w is indeed a witness for x 
in V (by verifying that f{w,x) = v). Thus, by Theorem 1, we can construct 
a T'-protocol {P,V) for the NP-relation T^param- In the resulting protocol, 
the common input to the prover and the verifier is the accumulated value v 
(i.e. a group public key) and the additional input to the prover is a tuple of 
the form {x, z, w) (i.e., a group secret key). Hence, the protocol (P, V) meets 
the specification of the Anon-ID protocol. 

As for the correctness of the above construction, observe that relation Pparam 
is essentially equivalent to the ^ relation. Consequently, a prover holding a 
group secret key gsk = {x,z,w) ^-related to the group public key gpk = v 
given as input to the verifier, possesses a tuple belonging to the relation Pparam, 
so that the execution of the Anon-ID protocol will terminate with the verifier 
outputting 1, with overwhelming probability. 

Soundness. Intuitively, the soundness of the above generic construction stems 
from the following considerations. The Special Honest- Verifier Zero-Knowledge 
property of the V-protocol Anon-ID guarantees that the Transcript Oracle 
doesn’t leak any information to the adversary that she could not compute her- 
self. By the Special Soundness property, in order to make the honest dealer ac- 
cept (with non-negligible probability) a run of the Anon-ID protocol in which the 
group public key gpk = v consists solely of the aggregation of public keys of non- 
corrupted users, A should posses a tuple gsk = (x,z,w) such that (x,z) G R\ 
and w is a witness of x in v. Now, the collision resistance of the accumulator 
implies that the user public key x must indeed have been accumulated within v, 
which means (by the third caveat of the soundness attack game in Section 3.2) 
that X belongs to a non-corrupted user. Hence, the adversary didn’t obtain the 
pre-image z via the user corruption oracle, which implies that A was able to find 
it by herself, contradicting the one-wayness of the accumulator’s domain. 

The above intuition could be turned into a rigorous reduction argument: we 
refer the reader to the full version [25] for a formal proof. 

Anonymity. In attacking the anonymity of the proposed scheme, the adver- 
sary basically chooses a group public key gpk = v and two group secret keys 
gski = (xi, zi,wi) and gsk 2 = {x 2 , Z 2 ,W 2 ), both ^-related to gpk. To subvert 
anonymity, the adversary should then be able (cfr. Section 3.3) to tell whether 
gski or gsk 2 was used in producing the (honest) “challenge” transcript. Since 
in the generic construction above the Anon-ID protocol is implemented as a 
V-protocol, this would mean that the adversary is able to tell which “witness” 
{gski or ( 75 ^ 2 ) was used by the prover to show that v belongs to the NP-language 
>Cparam associated to the NP-relation T^param- In other words, a successful adver- 
sary would break the Witness Indistinguishability of the Anon-ID protocol, which 
contradicts the fact that Anon-ID enjoys Special Honest- Verifier Zero-Knowledge. 
The reader is referred to [25] for a formalization of the above argument. 
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4.1 Adding ID Escrow 

The generic construction described above can be extended to deal with Identity 
Escrow as follows. During the initialization, the Setup algorithm additionally 
runs the key generation algorithm K, of some CCA2-secure encryption scheme 
{K.,E,'D). The resulting public key is included in the system parameters 
param, and the secret key sfciE is given to the Identity Escrow Authority (lEA). 

As for the user registration phase, each new user, after choosing his user secret 
key/public key pair (sk,pk) = {z, x), registers his public key with the lEA, which 
simply stores his identity and public key in a publicly-available database DB. 

The Anon-ID protocol is also changed to be the A-protocol corresponding to 
the following NP-relation T^param- 

■^param = { {{v, ' 4 ’), (a^, 2, w)) | ((a;, z) G Rx) A (/(w, x) = A {4) decrypts to x ) } 

In other words, the prover now additionally encrypts his public key x under the 
lEA’s public key pk^^, and proves to the verifier that he did so correctly. 

Finally, the Extract algorithm, on input a transcript tt, recovers the ciphertext 
4^ from 7T and decrypts i/', thus obtaining the identity of the user that played the 
role of the prover. 

It is not hard to check that the above changes do not affect the soundness 
and anonymity properties of the generic construction: in particular, the CCA2- 
security of the encryption scheme (which is needed since a malicious party could 
trick the lEA into acting as a decryption oracle) guarantees that honest tran- 
scripts cannot be modified so as to alter the prover identity hidden under the 
ciphertext ■(/;. See [25] for a security analysis of the extended scheme. 



5 Efficient Implementation 

5.1 Construction of an Accumulator with One-Way Domain 

An efficient construction of a collision-resistant accumulator was presented in 
[15], based on earlier work by [4] and [7]. Based on this construction, we present 
an efficient implementation of an accumulator with one-way domain. 

For A G N, the family F\ consists of the exponentiation functions modulo 
A-bit rigid integers: 



/ : (Z:)2 X Z„/4 - (Z:)2 
/ : (u, x) 1 -^- mod n 

where n G Rig;^ and (Z* denotes the set of quadratic residues modulo n. 
The accumulator domain {Aa}a 6N is defined by: 

Aa = {e prime | G RSA^) A (e G ^(2^2'^))} 
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where S{2^,2^) is the integer range ( 2 ^ — 2 ^, 2 ^ + 2 '') that is embedded within 
(0, 2"^) with A — 2 > f and £/2 > ^ + 1. The pre-image domain {Za}a 6 N and the 
one-way relation {i?A}AGN are defined as follows: 

Z\ = {( 61 , 62 ) I 61,62 are distinct ^/2-bit primes and 62 G S'(2^/^,2^)} 
i?A = {(a;, (61,62)) G ATa X Za I {x = 2ei62 -I- l)} 

The collision resistance of the above construction can be based on the Strong 
RSA Assumption, as showed in [15]. Regarding the added one-wayness of the 
domain, assuming the hardness of factoring RSA integers, it is easy to see that 
the NP-relation R\ satisfies our one-wayness requirement (cfr. Section 2.2): 
hence, the above construction yields a secure accumulator with one-way domain. 



5.2 Efficient Proof of Witnesses for the Accumulator 

The generic construction described in Section 4 derives algorithms Anon-ID'^ and 
Anon-ID'^ from the H-protocol corresponding to some NP-relation T^param^ for 
our RSA-based accumulator with one-way domain, the relation is defined as: 

(a^, (ei,62),w)) I {w"" = V mod u) A (a; G S'(2^2'')) 

A (a; - 1 = 26162 ) A (62 G S'(2^/2, 2^)) } 

However, the protocol generically obtained in virtue of Theorem 1, though 
polynomial time, is not efficient enough to be useful in practice; thus, below we 
describe how a practical Af-protocol for relation could be constructed, 

exploiting the framework of discrete-log relation sets [31], which provides a sim- 
ple method to construct complex proofs of knowledge over groups of unknown 
order. A discrete-log relation set i? is a set of vectors of length m defined over 
ZU {«!,..., ttr} (where the a^’s are called the free variables of the relation) 
and involves a sequence of base elements Ai, . . . , Am G (Z*)^. For any vector 

(a{, . . . , ttm) the corresponding relation is defined as nr=i ACa = 1 . The con- 
junction of all the relations is denoted as R{a \, . . . , a^)- In [31], an efficient S- 
protocol is presented for any discrete-log relation set R, by which the prover can 
prove of knowledge of a sequence of witnesses with Xi G 5(2^% 2''*) 

that satisfy R{xi , . . . , Xr) A ^ (xi G 5(2^% , where e > 1, A: G N 

are security parameters. Note that the tightness of the integer ranges can be in- 
creased by employing the range proofs of [ 10 ], nevertheless the tightness achieved 
above is sufficient for our purposes, and incurs a lower overhead. 

In order to prove the relation we assume that the public parameters 

param include the elements g,h,y,t,s G (Z*)^ with unknown relative discrete- 
logarithms. In order to construct the proof, the prover provides a sequence of 
public values Ti,T 2 ,r 3 ,T 4 ,T 5 such that Ti = g'^,T 2 = h'' g^ ,T^ = = 

wy'",T^ = where r <5. [0, [n/4j — 1]. 
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The proof is constructed as a discrete-log relation set that corresponds to 
the equations Ti = g'’, T2 = h^g^, (Ti)^ = T3 = 

(T4)“ = = t°‘‘^g^, for the free variables r, x, 62, oi, 02 such that 

X G 5(2^2''), 62 G S'(2^/^2''), ai = rx and 02 = re2- The matrix of the discrete- 
log relation set is shown below: 



Ti=g^ 
T2 = h^g^ 

(T,r = 

T3 = s-^g-^ 
(Ti)^= = g-^ 

{nr = 

{nr-g = t<^-g- 



g h y t s V T2^ 
r 0 0 0 0 0 1 0 

a;r0000 0 1 

ai 00000 a; 0 

ezOOOrOO 0 

fl2 0 0 0 0 0 62 0 

0 0 ai 0 0 1 0 0 

a;00a2 00 0 0 



Tg-i g-1 

0 0 0 0 

0 0 0 0 

0 0 0 0 

10 0 0 
0 0 0 0 

0 x00 
0 0 62 1 



Observe that a proof of the above discrete-log relation set ensures that (i) 
the prover knows a witness w for some value x in the ad-hoc group accumulated 
value V, and (ii) for the same x, the value x — 1 can be split by the prover 
into two integers one of which belongs to S{ 2 ^^^, 2 ^- This latter range-property 
guarantees the non-triviality of the splitting i.e., that the prover knows a non- 
trivial factor of X — 1 (i.e., different than —1, 1,2). Note that this will require 
that the parameters £, fi, e, k should be selected such that £j 2 > e{fi + k) + 2 . 



5.3 ID Escrow 

In Section 4.1, we discussed a generic transformation to add Identity Escrow 
to an Ad hoc Anonymous Identification scheme. Most of the required changes 
do not affect the system’s efficiency, except for the need to resort to a generic 
derivation of the Anon-ID protocol. 

This performance penalty is not unavoidable, however: in fact, escrow capa- 
bilities can be directly supported by the A-protocol for Anonymous Identification 
described in Section 5.2. using protocols for verifiable encryption and decryption 
of discrete logarithms from [17]. 

With notation as in Section 5.2, the Anon-ID protocol is augmented as follows: 
after sending the commitment T2 to the verifier, the prover verifiably encrypts 
an opening of T2 (namely, x and r) under the lEA public key. By checking 
that the encryption was carried out correctly, the verifier can be assured that, 
should the need arise, the lEA would be able to identify the prover by decrypting 
such opening, which would yield the prover’s public key x. Moreover, by using 
verifiable decryption in the Extract algorithm, we can prevent the lEA from 
untruthfully opening the identity of the prover for a given transcript, or falsely 
claiming that the prover’s identity cannot be properly recovered. 

Alternatively, if only honest users are assumed to have access to the Escrow 
functionality (so that malicious parties cannot exploit the lEA as a “decryption 
oracle”), then a more efficient solution is possible, by having the lEA knowing the 
value logg{h) in the proof of knowledge from Section 5. Then, given a transcript 
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of the protocol (which includes the values Ti, T 2 , Ta, T 4 , T 5 ) the lEA can recover 

the value = T 2 Tj^ from which the prover’s identity can be recovered 

by comparing to the public keys published in the public DB database. 

6 Applications 

6.1 Ad Hoc Identification Schemes 

This is the most direct application. Imagine a large universe of users, where 
each user has a public certificate, but otherwise there is no central authority 
in the system. Now, some party “from the street” has a resources which he is 
willing to share with some subset of the users. For example, an Internet provider 
P may want to enable internet access to all its subscribers. However, privacy 
considerations may lead a user to refuse to positively identify himself; in fact, 
this is not strictly necessary, as long as he proves he belongs to the group of 
current subscribers. Our ad-hoc identification schemes are ideally suited for this 
application, bringing several very convenient feautures. First, P can simply take 
all the public keys of the users (call this set S) and combine them into one 
short group public key gpkg. Notice, this initial setup is the only operation P 
performs which requires time proportional to the group size. As for each user 
u G S, once again he will use his secret key and the public keys of other user 
to prepare one short group secret key gsk^. After that, all identifications that u 
makes to P require computation and communication independent of the size of 
the group. Now, another provider P' can do the same for a totally different sub- 
group, and so on, allowing truly ad-hoc groups with no trusted authority needed 
in the system. Additionally, with incremental Ad hoc Anonymous Identification 
schemes (defined in the full version of this paper [25]), one can preserve efficiency 
even when the ad-hoc group is built gradually, as each new member addition only 
requires constant computation by P and by every pre-existing user in the system. 

6.2 Constant Size Ring Signatures 

This is one of our main applications, since it dramatically improves the efficiency 
of all known ring signature schemes (e.g. [34, 12, 9]). Recall, in a ring signature 
scheme there again is a universe of registered users, but no trusted authority. 
Any user u can then form a ring S, and sign a message m in such a way that 
any verifier (who knows S) can confidently conclude that “the message m was 
signed by some member u of S ” , but gets no information about u beyond u G S. 
Previous papers on the subject suggested that linear dependence of the ring 
signature size on the size of the ring S was inevitable, since the group is ad-hoc, 
so the verifier needs to know at least the description of the ring. While the latter 
is true, in practical situations the ring often stays the same for a long period 
of time (in fact, there could be many “popular” rings that are used very often 
by various members of the ring), or has an implicit short decryption (e.g., the 
ring of public keys of all members of the President’s Cabinet). Thus, we feel 
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that the right measure of “signature size” in this situation is that of an “actual 
signature” — the string one needs in addition to the group description. Indeed, 
when the ring stays the same for a long time or has a short description, this 
actual signature is all that the verifier needs in order to verify its correctness. 
With this in mind, there is no reason why the signature size must be linear in 
the size of the ring. 

In fact, our result shows that it does not have to be. Specifically, by applying 
the Fiat-Shamir heuristics to our ad-hoc identification scheme, we immediately 
get ring signatures of constant size. Moreover, our ring signatures enjoy several 
desirable features not generally required by ring signatures (even those of con- 
stant size). For example, both the signer and the verifier need to perform a one- 
time computation proportional to the size of the ring, and get some constant-size 
information {gskg and gpkg, respectively) which allows them to produce/ verify 
many subsequent signatures in constant time. 



6.3 Ad Hoc ID Escrow and Group Signatures 

As mentioned in Section 3.4, in some situations complete anonymity might not 
be desirable. In this case, one wishes to introduce a trusted Identity Escrow Au- 
thority (lEA), who can reveal the true identity of the user given the transcript of 
the identification procedure (presumably, when some “anonymity abuse” hap- 
pens). Such schemes are called ID Escrow schemes [32] and have traditionally 
been considered for fixed groups. ID Escrow schemes are duals of group signa- 
ture schemes [19, 1], which again maintain a single group of signers, and where 
a similar concern is an issue when signing a document anonymously. As argued 
in Section 4.1 and Section 5.3, our Ad hoc Anonymous Identification schemes 
and the corresponding signer-ambiguous signature schemes can efficiently sup- 
port identity escrow capabilities. As a result, we get an ID Escrow and a group 
signature scheme with the following nice features. (For concreteness, we concen- 
trate on group signatures below.) First, just like in current state-of-the-art group 
signature schemes, the signature is of constant size. Second, a user can join any 
group by simply telling the group manager about its public key: no expensive 
interactive protocols, where the user will “get a special certificate” have to be 
run. Thus, the group manager only needs to decide if the user can join the group, 
and periodically certify the “current” public key of the group. In other words, 
we can imagine a simple bulletin board, where the group manager periodically 
publishes the (certified) group public key the group, the description of the group, 
and potentially the history of how the public key evolved (which is very handy 
for incremental Ad hoc Anonymous Identification schemes; see [25]). From this 
information, each member of the group can figure out its group secret key and 
sign arbitrary many messages efficiently. (Of course, when signing a message the 
signer should also include the certified version of the current group key, so that 
“old” signatures do not get invalidated when the group key changes.) 
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